Project

General

Profile

Actions

Bug #12747

open

System log is filled by sshguard

Added by Steve Wheeler 5 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Logging
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Plus-Next
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:
All

Description

sshguard has to restart when he logs are rotated in 2.6 in order to monitor the current file. When it does so it logs the service restart.
In an even moderately busy firewall this can produce a lot of log entries to the point it starts to hide other more important logs.
It appears to restart whenever any log is rotated, is that actually required?

For example on a test system where an IPSec tunnel is configured but never connects the ipsec log rotates frequently resulting in a system log:

Jan 31 00:25:00     sshguard     29496     Exiting on signal.
Jan 31 00:25:00     sshguard     9940     Now monitoring attacks.
Jan 31 03:17:00     sshguard     9940     Exiting on signal.
Jan 31 03:17:00     sshguard     60321     Now monitoring attacks.
Jan 31 06:09:00     sshguard     60321     Exiting on signal.
Jan 31 06:09:00     sshguard     83661     Now monitoring attacks.
Jan 31 09:01:00     sshguard     83661     Exiting on signal.
Jan 31 09:01:00     sshguard     93166     Now monitoring attacks.
Jan 31 11:53:00     sshguard     93166     Exiting on signal.
Jan 31 11:53:00     sshguard     94019     Now monitoring attacks. 

It's possible to mitigate this to some extent by increasing the log file size reducing the rotation frequency.


Files

clipboard-202204221938-uajpw.png (9.84 KB) clipboard-202204221938-uajpw.png Marle Cua-chin, 04/22/2022 06:38 AM
Actions #1

Updated by Viktor Gurov 4 months ago

it seems to be related to #12833

Actions #2

Updated by Todd Marimon 4 months ago

I am seeing this as well. In my case it seems to be every 2 minutes-- quite a lot of log noise! On pfSense 2.6.0.

Feb 24 00:13:00    sshguard    62471    Now monitoring attacks.
Feb 24 00:13:00    sshguard    28882    Exiting on signal.
Feb 24 00:11:00    sshguard    28882    Now monitoring attacks.
Feb 24 00:11:00    sshguard    90479    Exiting on signal.
Feb 24 00:09:00    sshguard    90479    Now monitoring attacks.
Feb 24 00:09:00    sshguard    60259    Exiting on signal.
Feb 24 00:07:00    sshguard    60259    Now monitoring attacks.
Feb 24 00:07:00    sshguard    98243    Exiting on signal.
Feb 24 00:05:00    sshguard    98243    Now monitoring attacks.
Feb 24 00:05:00    sshguard    994    Exiting on signal.
Actions #3

Updated by Carsten F 3 months ago

Having the same issue since 2.6.0.

Actions #4

Updated by Michael TRVL ALBT 2 months ago

Having the same issue since 2.6.0 too.

Actions #5

Updated by Marle Cua-chin 2 months ago

I'm also experiencing the same issue on 2.6.0

Actions #6

Updated by Antonio Pesce about 2 months ago

I'm having the same issue on 2.6.0 on 6 pfSense instance.

Actions

Also available in: Atom PDF