Hi Martin, Are you sure it is not being caught? I ran your log in here and got an alert (using v1.4):
** Alert 1196003671.12373: - syslog,sshd,invalid_login, 2007 Nov 25 11:14:31 thecla2->/var/log/messages Rule: 5718 (level 5) -> 'Attempt to login using a denied user.' Src IP: d33.z1.infracom.it User: root Nov 21 21:49:02 thecla2 sshd[20660]: User root from d33.z1.infracom.it not allowed because not listed in AllowUsers Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Nov 23, 2007 8:01 PM, Martin West <[EMAIL PROTECTED]> wrote: > > Yes, as I said in the append some, the "Invalid User", do get picked up > from auth.log > > It would appear to be the "not allowed" entries that are not picked up. > > Thanks > > > On Fri, 2007-11-23 at 11:44 -0800, Peter M. Abraham wrote: > > In /var/ossec/etc/ossec.conf is your auth.log being monitored? > > > -- > > Regards Martin West > > >
