Reading sshguard_log.c it looks like LOG_AUTH is hardwired into sshguard. That means it logs its activities to the same place that it reads from. This doesn't appear configurable. Ideally the syslog facility should be configurable somehow. (e.g., command line option)
My problem is that I have a whitelisted host that is checking some services via nagios. Something about how it is doing things causes sshguard to want to block it. That's fine. I put it in the whitelist. Now I have a steady stream of these log messages: Dec 24 15:12:29 xxxx sshguard: xx.xx.xx.xx: not blocking (on whitelist)
They're logged at auth.info and I can't change that. I'd like to have sshguard either not log its info-level stuff, or log it to a configurable facility. I might have authenticating services running who log at auth.info and I want sshguard to see those auth.info posts for its purposes. But I hate seeing a message every 5 minutes from sshguard itself saying that (for the umpteenth time) it didn't block something because it was on the whitelist.