You are not logged in.

#1 2012-09-04 11:38:00

adr3nal1n
Member
Registered: 2010-09-23
Posts: 60

sshguard auth.log and systemd?

Hi,

I am using systemd and am considering running iptables/sshguard

Using the default installation of systemd nothing gets logged to /var/log/auth.log so was wondering how sshguard would work?

Would I need to install syslog-ng to work with systemd first to ensure that auth.log is populated?

Thanks in advance for any advice on this.

Offline

#2 2012-09-04 13:20:43

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: sshguard auth.log and systemd?

You could also try to run journalctl and pipe its output to sshguard. I think somthing like this command should output the necessary lines

journalctl -f -l SYSLOG_FACILITY=10

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#3 2012-09-04 16:15:07

adr3nal1n
Member
Registered: 2010-09-23
Posts: 60

Re: sshguard auth.log and systemd?

Thanks very much for the tip, will give it a go.

Offline

#4 2012-09-06 14:44:41

lahwaacz
Wiki Admin
From: Czech Republic
Registered: 2012-05-29
Posts: 748

Re: sshguard auth.log and systemd?

progandy wrote:

You could also try to run journalctl and pipe its output to sshguard. I think somthing like this command should output the necessary lines

journalctl -f -l SYSLOG_FACILITY=10

I've tried this, but it doesn't work. I guess journald groups similar (or the same) messages and generates new message with the number of unsuccessful logins. In the output of journalctl I get this:

Sep 06 16:39:50 asusntb sshd[20843]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rsp.lan  user=lahwaacz
Sep 06 16:40:38 asusntb sshd[20843]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=rsp.lan  user=lahwaacz

Offline

#5 2012-09-06 14:57:14

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: sshguard auth.log and systemd?

I think it can group old messages, but new messages after starting the follow-mode will all be shown since it is not possible to delete a line from the text output and recreate it after it has been printed.


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#6 2012-09-06 15:01:33

lahwaacz
Wiki Admin
From: Czech Republic
Registered: 2012-05-29
Posts: 748

Re: sshguard auth.log and systemd?

It's output of 'journalctl -f -l SYSLOG_FACILITY=10' command.
I think journald waits for sshd to exit (it's started on-demand using socket activation) and then prints the message of the number of failed login attempts.

Offline

#7 2012-09-15 12:21:59

Fraterius
Member
Registered: 2008-12-03
Posts: 18

Re: sshguard auth.log and systemd?

Isn't the best way to dill with that use both just like described here:

https://wiki.archlinux.org/index.php/Sy … log_daemon

I'm also going to dill with that but in few weeks or so. Will share my observation with you.

Offline

#8 2012-09-17 17:36:03

lahwaacz
Wiki Admin
From: Czech Republic
Registered: 2012-05-29
Posts: 748

Re: sshguard auth.log and systemd?

Fraterius wrote:

Isn't the best way to dill with that use both just like described here:

https://wiki.archlinux.org/index.php/Sy … log_daemon

I'm also going to dill with that but in few weeks or so. Will share my observation with you.

Why use two log daemons when you can use only one? For now I just disabled sshd altogether, because it's quite useless for me now when I'm on college... But I'd still like to make it work.

Offline

Board footer

Powered by FluxBB