sshguard is not compatible with RFC 5424 log format
pfSense 2.5.0 has an option to change the syslog style from the default RFC 3154 format to the new RFC 5424 format. However, sshguard does not appear to parse the messages properly when fed RFC 5424 format log data.
I tested with ssh messages so it shouldn't be anything specific to pfSense at play here.
#1 Updated by Jim Pingle about 2 months ago
- Assignee deleted (
Brief review didn't turn up any options that might help, and I didn't see any similar format messages in the sshguard tests.txt list. I opened an issue upstream with sshguard: https://bitbucket.org/sshguard/sshguard/issues/124/sshguard-does-not-parse-rfc-5424-format
If it isn't addressed before we need to ship 2.5.0, then we should at least add a warning to the syslog format selection option in the GUI alerting the user to the potential danger of using the other format.