Bug #12747
openSystem log is filled by sshguard
0%
Description
sshguard has to restart when he logs are rotated in 2.6 in order to monitor the current file. When it does so it logs the service restart.
In an even moderately busy firewall this can produce a lot of log entries to the point it starts to hide other more important logs.
It appears to restart whenever any log is rotated, is that actually required?
For example on a test system where an IPSec tunnel is configured but never connects the ipsec log rotates frequently resulting in a system log:
Jan 31 00:25:00 sshguard 29496 Exiting on signal. Jan 31 00:25:00 sshguard 9940 Now monitoring attacks. Jan 31 03:17:00 sshguard 9940 Exiting on signal. Jan 31 03:17:00 sshguard 60321 Now monitoring attacks. Jan 31 06:09:00 sshguard 60321 Exiting on signal. Jan 31 06:09:00 sshguard 83661 Now monitoring attacks. Jan 31 09:01:00 sshguard 83661 Exiting on signal. Jan 31 09:01:00 sshguard 93166 Now monitoring attacks. Jan 31 11:53:00 sshguard 93166 Exiting on signal. Jan 31 11:53:00 sshguard 94019 Now monitoring attacks.
It's possible to mitigate this to some extent by increasing the log file size reducing the rotation frequency.
Files
Updated by Todd Marimon about 1 year ago
I am seeing this as well. In my case it seems to be every 2 minutes-- quite a lot of log noise! On pfSense 2.6.0.
Feb 24 00:13:00 sshguard 62471 Now monitoring attacks. Feb 24 00:13:00 sshguard 28882 Exiting on signal. Feb 24 00:11:00 sshguard 28882 Now monitoring attacks. Feb 24 00:11:00 sshguard 90479 Exiting on signal. Feb 24 00:09:00 sshguard 90479 Now monitoring attacks. Feb 24 00:09:00 sshguard 60259 Exiting on signal. Feb 24 00:07:00 sshguard 60259 Now monitoring attacks. Feb 24 00:07:00 sshguard 98243 Exiting on signal. Feb 24 00:05:00 sshguard 98243 Now monitoring attacks. Feb 24 00:05:00 sshguard 994 Exiting on signal.
Updated by Michael TRVL ALBT 11 months ago
Having the same issue since 2.6.0 too.
Updated by Marle Cua-chin 11 months ago
I'm also experiencing the same issue on 2.6.0
Updated by Antonio Pesce 11 months ago
I'm having the same issue on 2.6.0 on 6 pfSense instance.
Updated by Geovane Gonçalves 9 months ago
I'm having the same issue on 2.6.0 at every 1 minute:
Jul 5 09:33:00 sshguard 77002 Exiting on signal.
Jul 5 09:33:00 sshguard 19637 Now monitoring attacks.
Jul 5 09:34:00 sshguard 19637 Exiting on signal.
Jul 5 09:34:00 sshguard 40779 Now monitoring attacks.
Jul 5 09:35:00 sshguard 40779 Exiting on signal.
Jul 5 09:35:00 sshguard 64718 Now monitoring attacks.
Jul 5 09:36:00 sshguard 64718 Exiting on signal.
Jul 5 09:36:00 sshguard 6061 Now monitoring attacks.
Jul 5 09:37:00 sshguard 6061 Exiting on signal.
Jul 5 09:37:00 sshguard 46190 Now monitoring attacks.
As a workaround I disabled the log packets matched from the default block rules in the ruleset to reduce the amount of system logs, but that didn't happen before the upgrade. The frequency has dropped and now I'm watching.
After a period of calm, he logged back in every minute. Maybe on restart of syslogd. I changed the file size from 500K to 1024 and I'm tracking again.
Doubling the size of the logs from 512K to 1024K didn't work either. After about a day the logs became polluted again. No solution.
Updated by van trung tran 4 months ago
I am having the same issue in 22.05. Netgate XG1541
Updated by Michael Kellogg 2 months ago
I am Still seeing this on 2.7 built on Fri Jan 20 03:01:02 UTC 2023
seems like every 5-10 minutes not a pattern i can figure out