Christian Kujau lists at
Thu May 27 18:47:57 CEST 2021

On Thu, 13 May 2021, Tomáš Tomčák wrote:
> type=USER_LOGIN msg=audit(05/13/2021 09:28:05.018:4011474) : pid=1147767
> uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct=(unknown) exe=/usr/sbin/sshd hostname=?
> addr=XXXX.XXXX.XXXX.XXXX  terminal=ssh res=failed'
> Do you know please how to prevent or get rid of this behaviour ? Looks like
> plugin can not authenticate maybe with some authentication method and
> eventually it success but will cause these failed login messages on targets.

Indeed, check_ssh is not supposed to login, it only checks if an SSH login 
is possible.

 $ /usr/lib/naemon/plugins/check_ssh --help
 Try to connect to an SSH server at specified server and port

But even if check_ssh would be able to perform a full login, you will then 
see successful login messages in your (audit) logs. Some syslog daemons 
(rsyslog, syslog-ng) can be configured to not log specific log messages, 
maybe you try and tune that on your side.


PS: For some reason this email was delivered only today, weird:

Received: from [...]
 by (Postfix) with ESMTPS id 8D4D920010A0; 
 Thu, 13 May 2021 10:07:50 +0200 (CEST)

Received: from (localhost [])
 by (Postfix) for <lists at>; 
 Thu, 27 May 2021 18:21:50 +0200 (CEST)
BOFH excuse #68:

only available on a need to know basis

More information about the Help mailing list