Hi,

Sounds interesting.

So I thought I take a little test...

Initial RAM-Usage: 14334 KB

First I just switched logging, did nothing else:

syslog => file => 22726 KB
file => syslog => 31117 KB
syslog => file => 39507/47898 KB (RAM suddenly altered. Why? No idea.)
file => syslog => 56289 KB

Restarted through console:

root(a)ipfire: /var/log/guardian # guardianctrl restart
Stopping Guardian...
Starting Guardian...
Unable to continue: /usr/sbin/guardian is running
                  [ WARN ]

Hm?

Stopped through console, no output, 'guardian' not found anymore,
neither in GUI nor through console:

root(a)ipfire: /var/log/guardian # ps ax | grep guardian
 6962 pts/1    S+     0:00 grep guardian

Started through console and we're exactly where we started (14334 KB).

The same happens if I switch the 'Priority-level' or the 'Firewall-Action'.

Initial: 2
2 => 3 => 22723 KB
3 => 2 => 31112 KB

Firewall-Action:
Reject => Drop => 39501 KB

Stop => Start => 14334 KB

Interestingly, during MY (log-)switching, 'guardian' never stopped.

HTH,
Matthias

On 21.07.2016 21:52, Flying Trashcan wrote:
> I am now noticing that when I switch from Log facility “file” to “syslog”, Guardian Daemon stops and doesn’t restart.  Switching from syslog to file didn’t stop the service, only switching back to syslog from file.  I can manually start the service and be back to normal.  Not a big deal, but if someone made the switch and didn’t think to manually start the service, it could be left without running Guardian.
> 
> 
> 
> 
>> On Jul 21, 2016, at 4:25 AM, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> Hi,
>> 
>> I mentioned this earlier, but it seems that 'guardian' has some kind of
>> memory leak?
>> 
>> It started about two days ago with ~14 MB RAM. Then it jumped to ~34 MB,
>> then to ~48 MB - today it suddenly uses 71 MB.
>> 
>> And if I start it on my testmachine (offline!) it uses ~90 MB.
>> 
>> Can someone confirm?
>> 
>> Besides this, its working without seen problems.
>> 
>> Best,
>> Matthias
>> 
>> On 20.07.2016 15:33, Stefan Schantl wrote:
>>> Hello testers,
>>> 
>>> I've uploaded  a new test version (003).
>>> 
>>> Update or fresh install works like described in the announcement mail.
>>> 
>>> The Changelog can be found here:
>>> 
>>> http://people.ipfire.org/~stevee/guardian-2.0/Changelog.txt
>>> 
>>> At the moment I'm missing feedback for the following functions:
>>> 
>>> * Manually blocking / unblocking addresses.
>>> * Dealing with the ignore list.
>>> * Owncloud message parser.
>>> * Logrotate, there should be an corresponding log entry in the guardian
>>> logfile after rotation of the logfiles have been done.
>>> * Reload of the ignore list after "Red" has been reconnected. There
>>> also a corresponding log entry should be logged to the logfile and the
>>> new "Red-address" should also be logged as part of the ignore list (If
>>> you own an dynamic assigned one).
>>> 
>>> As always please report your bugs or experience with the new version to
>>> this list.
>>> 
>>> Best regards,
>>> 
>>> -Stefan
>>> 
>>>> Hello mailing list followers,
>>>> 
>>>> this is the official release announcement for the first beta release
>>>> of
>>>> the new Guardian 2.0 approach.
>>>> 
>>>> 
>>>> - What are the differences to the current version of guardian
>>>> (legacy)
>>>> and the first approach of guardian 2.0?
>>>> 
>>>> The most important difference is, that the new version of Guardian
>>>> 2.0
>>>> completely has been re-written from scratch and released under the
>>>> terms of the GPLv3. The legacy version of guardian is not maintained
>>>> anymore by it's developer and the software has been released without
>>>> any license details at all.
>>>> 
>>>> Guardian 2.0 has a very modular code base and has been designed as a
>>>> multi-threaded application. This allows a parallel parsing of all
>>>> monitored logfiles and faster actions, if one of the used modules
>>>> detects an attack.
>>>> 
>>>> A very important difference to the legacy version is the support of
>>>> configuring and managing the entire service through the IPFire
>>>> webinterface. The entire configuration, managing of current blocked
>>>> hosts, unblocking them or editing the ignored hosts list now can be
>>>> done in a graphical way. 
>>>> 
>>>> The legacy version of guardian only supported parsing snort alerts.
>>>> HTTPD and SSH support has been patched by the IPFire development team
>>>> some time ago. Guardian 2.0 supports all of them out of the box and
>>>> includes a filter to detect owncloud login brute-force attempts. As a
>>>> benefit of the new modular design, additional filters easily can be
>>>> added.
>>>> 
>>>> Guardian 2.0 is able to reload it's configuration, reloading
>>>> the ignore list during runtime and handle, if the logfiles will get
>>>> rotated by logrotate. This actions can be called by using the
>>>> webinterface or from the command line interface by using
>>>> "guardianctrl".
>>>> 
>>>> These are just a handful of the changes and benefits which comes with
>>>> Guardian 2.0, a complete list would be to long for this mailing list.
>>>> 
>>>> 
>>>> - How to join testing?
>>>> 
>>>> To get part of the testing team, simple navigate to http://people.ipf
>>>> ir
>>>> e.org/~stevee/guardian-2.0/ and download the latest tarball
>>>> (currently
>>>> 002). Please take care to download the correct one, based on your
>>>> used
>>>> architecture. The i585 packages are for 32Bit installations of
>>>> IPFire,
>>>> the x86_64 packages only can be used on 64Bit installations.
>>>> 
>>>> Put the downloaded file on your IPFire test system and extract the
>>>> package by using "tar -xvf guardian-2.0-002.<arch>.tar.gz -C /".
>>>> 
>>>> The final installation step would be to regenerate the language cache
>>>> by executing "update-lang-cache" on the console.
>>>> 
>>>> From now you can find a new menu item called "Guardian" in your
>>>> "Service" menu after you have logged-in into your IPFire's
>>>> webinterface.
>>>> 
>>>> Documentation can be found on the IPFire wiki: http://wiki.ipfire.org
>>>> /e
>>>> n/addons/guardian/start#the_guardian_20_addon
>>>> 
>>>> 
>>>> - Where to post bugs reports or provide feedback?
>>>> 
>>>> If you find any bugs, please report them as usual on the IPFire
>>>> bugtracker, which can be found at https://bugzilla.ipfire.org.
>>>> 
>>>> To provide feedback or to join a discussion, please send your mails
>>>> to
>>>> "development(a)lists.ipfire.org" (Please register first at http://lists
>>>> .i
>>>> pfire.org if not yet done).
>>>> 
>>>> The source code can be found at http://git.ipfire.org/?p=people/steve
>>>> e/
>>>> guardian.git;a=summary
>>>> 
>>>> 
>>>> Happy testing,
>>>> 
>>>> -Stefan
>>>> 
>>> 
>> 
> 
>