Yes, as I said in the append some, the "Invalid User", do get picked up from auth.log
It would appear to be the "not allowed" entries that are not picked up. Thanks On Fri, 2007-11-23 at 11:44 -0800, Peter M. Abraham wrote: > In /var/ossec/etc/ossec.conf is your auth.log being monitored? > -- Regards Martin West
