sshguard is not compatible with RFC 5424 log format
pfSense 2.5.0 has an option to change the syslog style from the default RFC 3154 format to the new RFC 5424 format. However, sshguard does not appear to parse the messages properly when fed RFC 5424 format log data.
I tested with ssh messages so it shouldn't be anything specific to pfSense at play here.
#1 Updated by Jim Pingle 6 months ago
- Assignee deleted (
Brief review didn't turn up any options that might help, and I didn't see any similar format messages in the sshguard tests.txt list. I opened an issue upstream with sshguard: https://bitbucket.org/sshguard/sshguard/issues/124/sshguard-does-not-parse-rfc-5424-format
If it isn't addressed before we need to ship 2.5.0, then we should at least add a warning to the syslog format selection option in the GUI alerting the user to the potential danger of using the other format.
#2 Updated by Jim Pingle about 2 months ago
sshguard has added support for this log format in their repo, but it has not yet been released. Something to watch out for: https://bitbucket.org/sshguard/sshguard/commits/c18687f