[rendaw]

Hello,

SSHGuard seems to be ignoring everything from journalctl AFAICT. I tried the following:

$this->bbcode_second_pass_code('', 'tail -F -n1 /var/log/auth.log | /usr/sbin/sshguard -l - -b /var/db/sshguard/blacklist.db')
Works

$this->bbcode_second_pass_code('', '/usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db')
Works

$this->bbcode_second_pass_code('', '/usr/bin/journalctl -afbp info -n1 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | /usr/sbin/sshguard -l - -b /var/db/sshguard/blacklist.db')
Doesn't work

To strip bold and colors:
$this->bbcode_second_pass_code('', '/usr/bin/journalctl -afbp info -n1 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | /usr/sbin/sshguard -l - -b /var/db/sshguard/blacklist.db')
Doesn't work

To get the date format to match auth.log:
$this->bbcode_second_pass_code('', '/usr/bin/journalctl -afbp info -n1 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | sed "s/Jan 01/Jan 1/" | /usr/sbin/sshguard -l - -b /var/db/sshguard/blacklist.db')
Doesn't work

However, I think the last two might be confounded by a separate issue: I get no output if I try piping the output of journalctl through sed and then anything else. Here's the tests I've run:

$this->bbcode_second_pass_code('', '/usr/bin/journalctl -afbp info -n1 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | sed 's/a/_/'')
Produces output

$this->bbcode_second_pass_code('', '/usr/bin/journalctl -afbp info -n1 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | sed 's/a/_/' | cat')
Produces nothing

$this->bbcode_second_pass_code('', '/usr/bin/journalctl -afbp info -n1 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | cat | sed 's/a/_/'')
Produces output

$this->bbcode_second_pass_code('', '/usr/bin/journalctl -afbp info -n1 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | cat | cat')
Produces output

$this->bbcode_second_pass_code('', '/usr/bin/journalctl -afbp info -n1 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | sed 's/a/_/' | sed 's/_/a/'')
Produces nothing

When I say "works" above, I mean I see new log messages (in /var/log/auth.log) within 6 failed ssh login attempts. In every case, I see the SSHGuard "Started successfully" log message (in /var/log/auth.log).

I'm using Arch Arm on a Raspberry Pi. I installed and updated the system last week, but I'm going to go upgrade my system again right now just in case there's been some fix.

Okay, just upgraded, same issues.

Has anyone else encountered this? Would this be a sshguard or journalctl issue? Does this work with non-Arm Arch Linux? I only have my Raspberry Pi Arch computer right now, so I cant test journalctl in other situations. Also, it's January 1st where I live and I'm having some trouble creating an account on the main forums, so I thought I'd post it here instead.