Hello
I currently have Nagios monitoring SSH on my servers which produces a login failure. This is picked up by OSSEC as a 1002. I have audit logging to syslog via audispd. I have not been able to create a rule for this and have been unsuccessful on ignoring ssh requests from my Nagios/Monitoring server. Anyone have a rule or anyway to get around this problem? I am getting 100's of these alerts per day. I can not change the monitoring at this time. Received From: hids->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): 2012-10-01T07:59:40.429266-06:00 hids audispd: node=hids.XXXXXX.com type=USER_LOGIN msg=audit(1349099980.428:16816): user pid=10188 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=XXX.XXX.XXX.XXX terminal=ssh res=failed' -- ================= Matthew Feinberg