Hi John, I'm not sure what's happened here, but the default /etc/rsyslog.d/50-default.conf contains no such snippet (a pristine copy is also stored in /usr/share/rsyslog/50-default.conf) and is managed via ucf. The contents of a pristine version are attached.
Either another package you have installed has modified this config file (and looking at the failban package and postinstall script, I don't see anything there that would add anything like that. Doing a limited google search on the comment string "# Transform and forward data" turned up this recipe: https://devconnected.com /geolocating-ssh-hackers-in-real-time/ ; is it possible that this was added as part of a recipe you were following? Thanks. ** Attachment added: "50-default.conf" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+attachment/5386636/+files/50-default.conf ** Changed in: rsyslog (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/1881942 Title: default configuration forwards sshd failures to port 7070 Status in rsyslog package in Ubuntu: Incomplete Bug description: ubuntu eoan (19.10) --- While investigating why my fail2ban client was not blocking the usual script-kiddie SSH attempts, I discovered that no sshd failures were appearing in /var/log/auth.log. Upon opening /etc/rsyslog.d/50-default.conf I discovered that sshd failures are being transformed and forwarded to localhost:7070. Here's the section of configuration: if $programname == 'sshd' then { if $msg startswith ' Failed' then { # Transform and forward data! action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="ip-json") } stop } For me, nothing is bound to port 7070. I assume you have a good reason for such a default but it seems suboptimal to stop processing after forwarding. I commented out the stop line and restarted rsyslog and found that logs appeared in /var/log/auth.log and that my fail2ban is now banning IPs, as expected. I suggest changing the default configuration so that sshd failures reach /var/log/auth.log. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
