@mtarbox said in sshguard and oddities in the daily system log email:

Nothing is hammering on the logs

Most probably because it isn't the 'ssh' server that hammers itself.
Some other process still keeps on going on port 22, but doesn't know that the ones living there has moved.
So sshguard won't see the warning messages from the ssh server in the logs and doesn't add its own.
Nothing in the logs doesn't mean nothing is happening.

If there is a rogue ssh client running somewhere, it should be detected and be accounted for.

wireshark on interface LAN host adresses "192.168.2.1" TCP port 22" and see what pops up.
Try all the interfaces.

Also there is nothing in filtering rules to deny anything all the interfaces are allowed to pass through the traffic. Neither its showing anything on the system logs as well