Greetings, In 2011, Bazsi posted an entry [1] about a fellow named Valentijn Sessink doing some interesting work with patterndb and the iptables xt_recent module. I am mostly there (following Valentijn's example), but am having issues. Specifically, it does not seem that syslog-ng is writing the IPs to the xt_recent proc "file". Syslog-ng is writing them to a regular log file, though: # cat /proc/net/xt_recent/syslogblock # other-system$ ssh doug@system other-system$ # cat /var/log/syslogblock 2013-07-30 16:26:42 Failed password for invalid user doug from 131.212.109.58 port 37867 ssh2 +131.212.109.58 2013-07-30 16:26:42 Failed password for invalid user doug from 131.212.109.58 port 37867 ssh2 +131.212.109.58 2013-07-30 16:45:26 Failed none for invalid user doug from 131.212.109.58 port 37956 ssh2 +131.212.109.58 # cat /proc/net/xt_recent/syslogblock # I can add the host by hand to the xt_recent file: # echo '+131.212.109.58' > /proc/net/xt_recent/syslogblock # echo '+131.212.109.58' > /proc/net/xt_recent/syslogblock # echo '+131.212.109.58' > /proc/net/xt_recent/syslogblock # cat /proc/net/xt_recent/syslogblock src=131.212.109.58 ttl: 0 last_seen: 5445045124 oldest_pkt: 3 5445044388, 5445044844, 5445045124 The above is the expected output. Here are my configs: $ cat /etc/syslog-ng/conf.d/ssh-failure-iptables-recent-block.conf # a destination; we have a dual destination here, a file to see the # blocked hosts, and an iptables-destination in /proc to block them. destination d_syslogblock { file( "/proc/net/xt_recent/syslogblock" template("+${usracct.device}\n") ); file( "/var/log/syslogblock" template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $MSG +${usracct.device}\n") ); }; # a parser for the pattern-DB we made in step 1 parser pattern_db { db_parser( file("/var/lib/syslog-ng/patterndb.xml") ); }; # a filter to filter the parser results filter f_syslogblock { tags("secevt") and match( "REJECT" value("secevt.verdict") ); }; # and finally, the log itself: log { source(s_src); parser(pattern_db); filter(f_syslogblock); destination(d_syslogblock); };