macOS LOGREADER should be unbuffered
Issue #82
open
On macOS 10.12+, using the recommended LOGREADER example works, but since the output is sent into a pipe, the parser doesn't see the log lines until the pipe buffer has filled. That allows multiple attack attempts to occur before sshguard intercepts.
I was able to fix this by using the unbuffer command from the expect package and editing the sshguard script:
export HOME=/Users/Shared # needs to be set for tcl file expansion tailcmd="/usr/local/bin/unbuffer $LOGREADER"
But this is not a desirable solution because it requires the installation of the expect package.
This problem applies to any situation where LOGREADER is used and the originating process cannot be set to unbuffer stdout.
Comments (5)
-
reporter
-
I havne’t got the time to test right now, but does any of these solve your problem? I’ll get around to fixing it this weekend if you could test these, @jinschoi.
# 1) $LOGREADER | grep --line-buffered '^' # 2) $LOGREADER | while read line ; do echo $line -
reporter
No. I already tried the first. The issue is that on most Unix systems, stdout is buffered when it is going to a pipe. There is nothing that can be done on the right side of the pipe that will fix the problem. Unbuffer works by running the process in a pty, which makes the output be line buffered.
-
- changed status to open
-
- removed version
Removing version: 2.0 (automated comment)
- Log in to comment
Modifying LOGREADER to be "HOME=/Users/Shared /usr/local/bin/unbuffer /usr/bin/log stream..." also works.