On Thu, 13 May 2021, Tomáš Tomčák wrote: > type=USER_LOGIN msg=audit(05/13/2021 09:28:05.018:4011474) : pid=1147767 > uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 > msg='op=login acct=(unknown) exe=/usr/sbin/sshd hostname=? > addr=XXXX.XXXX.XXXX.XXXX terminal=ssh res=failed' > > Do you know please how to prevent or get rid of this behaviour ? Looks like > plugin can not authenticate maybe with some authentication method and > eventually it success but will cause these failed login messages on targets.
Indeed, check_ssh is not supposed to login, it only checks if an SSH login is possible. $ /usr/lib/naemon/plugins/check_ssh --help [...] Try to connect to an SSH server at specified server and port But even if check_ssh would be able to perform a full login, you will then see successful login messages in your (audit) logs. Some syslog daemons (rsyslog, syslog-ng) can be configured to not log specific log messages, maybe you try and tune that on your side. HTH, C. PS: For some reason this email was delivered only today, weird: Received: from mail-wm1-f49.google.com [...] by orwell.monitoring-plugins.org (Postfix) with ESMTPS id 8D4D920010A0; Thu, 13 May 2021 10:07:50 +0200 (CEST) Received: from orwell.monitoring-plugins.org (localhost [127.0.0.1]) by orwell.monitoring-plugins.org (Postfix) for <li...@nerdbynature.de>; Thu, 27 May 2021 18:21:50 +0200 (CEST) -- BOFH excuse #68: only available on a need to know basis