I am running debian, the system is configured using tmpfs for /var/log directory, so every time when the system boots up, /var/log is clean.
I see sshguard fails with "File '/var/log/auth.log' vanished while adding!". It looks like by the time when sshguard is started (by systemd), the file /var/log/auth.log has not been created yet (it will be created later, in several seconds).
Can sshguard offer an option to wait till /var/log/auth.log to create? currently in sshguard_logsuck.c:logsuck_add_logsource(), if the file does not exist (either hasn't been created, or has been cleaned by some cron job),sshguard just quits.