Public bug reported: ubuntu eoan (19.10) ---
While investigating why my fail2ban client was not blocking the usual script-kiddie SSH attempts, I discovered that no sshd failures were appearing in /var/log/auth.log. Upon opening /etc/rsyslog.d/50-default.conf I discovered that sshd failures are being transformed and forwarded to localhost:7070. Here's the section of configuration: if $programname == 'sshd' then { if $msg startswith ' Failed' then { # Transform and forward data! action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="ip-json") } stop } For me, nothing is bound to port 7070. I assume you have a good reason for such a default but it seems suboptimal to stop processing after forwarding. I commented out the stop line and restarted rsyslog and found that logs appeared in /var/log/auth.log and that my fail2ban is now banning IPs, as expected. I suggest changing the default configuration so that sshd failures reach /var/log/auth.log. ** Affects: rsyslog (Ubuntu) Importance: Undecided Status: New ** Tags: eoan -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1881942 Title: default configuration forwards sshd failures to port 7070 Status in rsyslog package in Ubuntu: New Bug description: ubuntu eoan (19.10) --- While investigating why my fail2ban client was not blocking the usual script-kiddie SSH attempts, I discovered that no sshd failures were appearing in /var/log/auth.log. Upon opening /etc/rsyslog.d/50-default.conf I discovered that sshd failures are being transformed and forwarded to localhost:7070. Here's the section of configuration: if $programname == 'sshd' then { if $msg startswith ' Failed' then { # Transform and forward data! action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="ip-json") } stop } For me, nothing is bound to port 7070. I assume you have a good reason for such a default but it seems suboptimal to stop processing after forwarding. I commented out the stop line and restarted rsyslog and found that logs appeared in /var/log/auth.log and that my fail2ban is now banning IPs, as expected. I suggest changing the default configuration so that sshd failures reach /var/log/auth.log. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp