Greetings Martin: ossec v1.4 is catching sshd brute force attempts many times during the day for us.
In /var/ossec/etc/ossec.conf is your auth.log being monitored?
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
For us, this is being tracked in /var/log/secure rather than an
auth.log.
Thank you.
