Hello everyone,

I have an issue with syslog-ng (detailed below) and I tend to incline is related to syslog-ng, an I hope will find some answers here.

I set up a "solution" so that when someone fails to login to a ssh linux server, I receive an email with info about that. The idea is like this:
Syslog-ng should look for any messages containing info about login failures, and when it sees those messages, it should pass them to a little script that emails them.

Syslog-ng relevant config for that:
filter f_ssh       {program (sshd) and  match("Failed password" value("MESSAGE")); };
destination d_sshalert { program("/home/cosmin/sshalert.sh"); };                                        #this is the script that is sendind the emails
destination d_sshfile { file("/home/cosmin/LOGS/sshdfailed.log"); };
log { source(s_src); filter(f_ssh); destination(d_sshfile);};
#log { source(s_src); filter(f_ssh); destination(d_sshalert); flags(final); };
log { source(s_src); filter(f_ssh); destination(d_sshalert);};

And the script that is sending the emails:
cosmin@srv:~$ cat sshalert.sh
#!/bin/bash
email="someone@gmail.com"
while read event;
do
echo -e "Subject:*** SSH failed attempt on domain.ro ***\nFrom:SSH Watcher <admin@domain.ro>\nTo:someone@gmail.com\n\n####### WARNING #######\n\nA failed SSH attempt has been logged:\n${event}\n\n*** Required actions***\n1. Check ip owner and location:\nEx: #curl ipinfo.io/X.Y.Z.T\n2. Ban the source IP address in iptables.rules\n***********************\n\nFor any questions contact: admin@domain.ro\nHave a nice day\n" | /usr/sbin/sendmail -f admin@domain.ro ${email}
done

Everything is working as expected, I receive mails like this when failed attempts exists:
####### WARNING #######

A failed SSH attempt has been logged:
Aug  6 15:49:47 srv sshd[18236]: Failed password for someone from 173.XX.220.XX port 59004 ssh2

*** Required actions***
1. Check ip owner and location:
Ex: #curl ipinfo.io/X.Y.Z.T
2. Ban the source IP address in iptables.rules
***********************

For any questions contact: admin@domain.ro
Have a nice day

Please not that the log inserted is the right one: Aug  6 15:49:47 srv sshd[18236]: Failed password for someone from 173.XX.220.XX port 59004 ssh2
My problem is that form time to time (did not manage to discover a time pattern), I also receive some strange mails like the following:
####### WARNING #######

A failed SSH attempt has been logged:
Aug  6 16:09:47 srv -- MARK --

*** Required actions***
1. Check ip owner and location:
Ex: #curl ipinfo.io/X.Y.Z.T
2. Ban the source IP address in iptables.rules
***********************

For any questions contact: admin@domain.ro
Have a nice day

As you can see, the log inserted in the mail is strange: Aug  6 16:09:47 srv -- MARK --. I assume that somehow, syslog-ng is the one that is sending this log to my script which is why I configured another destination to a local file to test my hypothesis (d_sshfile) but the message is not inserted in that local file

Now, my question for you is: is there a way to determine if syslog-ng is the one responsible for sending that strange message and why? Am I doing something wrong with syslog-ng config (maybe the filter is not right?)
Any help would be appreciated. Thanks

-- 
Best Regards
Cosmin Neagu