Greetings Martin: In /var/ossec/rules/sshd_rules.xml there is
<rule id="5718" level="5">
<if_sid>5700</if_sid>
<match>not allowed because</match>
<description>Attempt to login using a denied user.</description>
<group>invalid_login,</group>
</rule>
I'm not sure if that covers "Nov 23 08:33:06 thecla2 sshd[14874]: User
alias not allowed because shell /sbin/nologin does not exist"
You may want to consider creating your own rule in /var/ossec/rules/
local_rules.xml
Thank you.
