Don't parse SSH logs with rsyslog 8 - Patch proposal

FreeBSD 12.1-p5
Rsyslog 8.2004.0 from ports
sshguard 2.4.0 from ports, with pf backend

With the sub mentioned config, sshguard do not see SSH activity from auth.log

I narrowed this issue down to the TAG syntax used by rsyslog, which do not add colon after the sshd PID :

2020-05-25T23:40:43.244636+02:00 bastion sshd[53186] Invalid user plop from 99.99.99.99 port 59418

I made a patch to make colon optional in both SYSLOG_BANNER and SYSLOG_BANNED_PID. This resolved the problem for my servers with the same configuration.

Could this be included in sshguard?

Here is the relatively basic rsyslog config triggering the issue :

module(load="immark")   # provides --MARK-- message capability
module(load="imuxsock") # mandatory for local system logging

global(workDirectory="/var/spool/rsyslog")

*.err;kern.warning;auth.notice;mail.crit;console.info           /var/log/console.log
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                                      /var/log/security
auth.info;authpriv.info                                         /var/log/auth.log
mail.info                                                       /var/log/maillog
cron.*                                                          /var/log/cron
*.emerg                                                         :omusrmsg:*

*.*  action(
  Action.resumeInterval="10"
  RebindInterval="10000"            # cycling TCP connections allows for load balancing
  Queue.Size="100000"
  Queue.DiscardMark="97500"
  Queue.HighWaterMark="80000"
  Queue.Type="LinkedList"
  Queue.FileName="rsyslogqueue"
  Queue.CheckpointInterval="100"
  Queue.MaxDiskSpace="2g"
  Action.ResumeRetryCount="-1"
  Queue.SaveOnShutdown="on"
  Queue.TimeoutEnqueue="10"
  Queue.DiscardSeverity="0"
  type="omfwd"
  target="graylog"
  protocol="tcp"
  port="1514"
  template="RSYSLOG_SyslogProtocol23Format" )

‌

Comments (4)