Scanning does not necessarily provide a "blip". Do you have any kind of tool logging scans or are you doing something beyond an nmap scan, such as brute force login attemps. Something has to create a log entry for OSSEC to see. Based on what you are saying - is there any kind of entry in any of the event logs showing that a scan was happening? OSSEC would see that.
>
