You are not logged in.
Hi,
I am using systemd and am considering running iptables/sshguard
Using the default installation of systemd nothing gets logged to /var/log/auth.log so was wondering how sshguard would work?
Would I need to install syslog-ng to work with systemd first to ensure that auth.log is populated?
Thanks in advance for any advice on this.
Offline
You could also try to run journalctl and pipe its output to sshguard. I think somthing like this command should output the necessary lines
journalctl -f -l SYSLOG_FACILITY=10
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Thanks very much for the tip, will give it a go.
Offline
You could also try to run journalctl and pipe its output to sshguard. I think somthing like this command should output the necessary lines
journalctl -f -l SYSLOG_FACILITY=10
I've tried this, but it doesn't work. I guess journald groups similar (or the same) messages and generates new message with the number of unsuccessful logins. In the output of journalctl I get this:
Sep 06 16:39:50 asusntb sshd[20843]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rsp.lan user=lahwaacz
Sep 06 16:40:38 asusntb sshd[20843]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=rsp.lan user=lahwaacz
Offline
I think it can group old messages, but new messages after starting the follow-mode will all be shown since it is not possible to delete a line from the text output and recreate it after it has been printed.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
It's output of 'journalctl -f -l SYSLOG_FACILITY=10' command.
I think journald waits for sshd to exit (it's started on-demand using socket activation) and then prints the message of the number of failed login attempts.
Offline
Isn't the best way to dill with that use both just like described here:
https://wiki.archlinux.org/index.php/Sy … log_daemon
I'm also going to dill with that but in few weeks or so. Will share my observation with you.
Offline
Isn't the best way to dill with that use both just like described here:
https://wiki.archlinux.org/index.php/Sy … log_daemon
I'm also going to dill with that but in few weeks or so. Will share my observation with you.
Why use two log daemons when you can use only one? For now I just disabled sshd altogether, because it's quite useless for me now when I'm on college... But I'd still like to make it work.
Offline