Excessive log messages when polling from files

Create issue
Issue #25 resolved
Bruno Friedmann created an issue

everytime sshguard is start it start flooding syslog

mar 06 21:21:23 obione sshguard[10810]: Adding '-' to polled files.
mar 06 21:21:23 obione sshguard[10810]: File '-' added, fd 0, serial 0.
mar 06 21:21:23 obione sshguard[10810]: whitelist: add '127.0.0.1' as plain IPv4.
mar 06 21:21:23 obione sshguard[10810]: whitelist: add plain IPv4 127.0.0.1.
mar 06 21:21:23 obione sshguard[10810]: whitelist: add '::1' as plain IPv6.
mar 06 21:21:23 obione sshguard[10810]: whitelist: add plain IPv6 ::1.
mar 06 21:21:23 obione sshguard[10810]: Set environment: SSHG_ACTION=init;SSHG_PID=10810
mar 06 21:21:23 obione sshguard[10810]: Run command "TBL=iptables; if [ x$SSHG_ADDRKIND == x6 ]; then TBL=ip6tables; fi; iptblscmd() { /usr/sbin/$TBL -w $@; r=$?; if [ $r == 2 ]; then exec /usr/sbin/$TBL $@; fi; exit $r; }; iptblscmd -L -n": exited 0.
mar 06 21:21:23 obione sshguard[10810]: blacklist: ignoring malformed line 1
mar 06 21:21:23 obione sshguard[10810]: blacklist: ignoring malformed line 2
mar 06 21:21:23 obione sshguard[10810]: blacklist: blocking 0 addresses
mar 06 21:21:23 obione sshguard[10810]: whitelist: add '127.0.0.1' as plain IPv4.
mar 06 21:21:23 obione sshguard[10810]: whitelist: skipping plain IPv4 127.0.0.1 -- already present.
mar 06 21:21:23 obione sshguard[10810]: blacklist: ignoring malformed line 1
mar 06 21:21:23 obione sshguard[10810]: blacklist: ignoring malformed line 2
mar 06 21:21:23 obione sshguard[10810]: blacklist: blocking 0 addresses
mar 06 21:21:23 obione sshguard[10810]: whitelist: add '127.0.0.1' as plain IPv4.
mar 06 21:21:23 obione sshguard[10810]: whitelist: skipping plain IPv4 127.0.0.1 -- already present.
mar 06 21:21:23 obione sshguard[10810]: Monitoring attacks from log files
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 20 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 21 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Read line from '-'.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 20 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 21 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 22 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 23 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 24 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 25 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 26 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 27 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 28 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 29 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 30 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 31 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 32 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 33 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 34 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 36 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 38 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 40 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 42 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 44 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 46 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 48 ms before next poll.
mar 06 21:21:23 obione sshguard[10810]: Refreshing sources showed 0 changes.
mar 06 21:21:23 obione sshguard[10810]: Sleeping 50 ms before next poll.

It make it just usuable unfortunately

Comments (15)

  1. Kevin Zheng

    It sounds like you have the debugging flag enabled. Have you tried unsetting SSHGUARD_DEBUG in your environment?

  2. Bruno Friedmann reporter

    I'm using this patch actually cause the log is always flooding with or without the SSHGUARD_DEBUG (which give other informations if setup)

    diff --git i/src/sshguard_logsuck.c w/src/sshguard_logsuck.c
    index d6b4e2b..0588b44 100644
    --- i/src/sshguard_logsuck.c
    +++ w/src/sshguard_logsuck.c
    @@ -286,7 +286,7 @@ static int refresh_files() {
         }
         list_iterator_stop(& sources_list);
    
    -    sshguard_log(LOG_INFO, "Refreshing sources showed %u changes.", numchanged);
    +    /* sshguard_log(LOG_INFO, "Refreshing sources showed %u changes.", numchanged); */
         return 0;
     }
    
  3. Kevin Zheng

    Are you using log sucker with only standard input? If you're only reading from standard input, omit the -l argument. You should use -l - only when you're also reading from a file.

  4. Lodvær

    I also have this issue, while reading only one log with -l <logfile>. I think it is caused by logging to the same file one reads from. Every time a line is read, it logs "Refreshing sources showed 0 changes.", which is then read, again triggering it to log.

  5. gedge

    Running sshguard (FreeBSD port), getting this error:

    Mar 13 01:37:52 wholly sshguard[14033]: Refreshing sources showed 0 changes.
    Mar 13 01:38:23 wholly last message repeated 116 times
    Mar 13 01:40:24 wholly last message repeated 342 times
    

    endless logging, not using -l -

  6. Kevin Zheng

    Could you include your SSHGuard invocation? Is it using -l with only one file? Is the file /var/log/auth.log?

  7. Lodvær

    sshguard -l /var/log/socklog/secure/current -b 200:/var/db/sshguard/blacklist.db

    /var/log/socklog/secure/current has auth messages.

  8. gedge

    Stock FreeBSD args (src)

    # ps auxww|grep ssh[g]
    root    7343   0.0  0.0  1344   3104  -  Is    2:09am     0:05.65 /usr/local/sbin/sshguard -b 40:/var/db/sshguard/blacklist.db -l /var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w /usr/local/etc/sshguard.whitelist
    
  9. Bruno Friedmann reporter

    Sorry was away during the week ... My usage is the following

    /usr/bin/journalctl -u sshd -u pure-ftpd -u dovecot -u postfix -alfb --no-pager -p info -n1 -o cat | /usr/sbin/sshguard -l- -a 50 -p 3600 -s 7200 -w /var/lib/sshguard/whitelist.db -b 100:/var/lib/sshguard/blacklist.db SYSLOG_FACILITY=10
    

    @Partmedia if I understand correctly your statement in previous comment, in that sort of case, we should remove the -l- ? Then it's a breakage from previous version, and we should adapt comments, documentation.

  10. Log in to comment