Hello to heverybody! (Howtoforge is the 1st my forum website! - A beautiful community!) The problem! On the my local vps i have a problem about the log and notification with OSSECC monitor of SSH brute force attack. In the first time, there was a problem , a bug, with the bad ownership of btmp that create a strange log report about login failure sshd: Excess permission or bad ownership on file /var/log/btmp After i have "solved" with the change of permissions and ownership of btmp file, chmod 600 /var/log/btmp but now, when there is a login failure, only from unknow user of the system, there is not any log of the failure login and obviously OSSECC dont notify me an event that not exist! If a know user perform a bad login the system notify correctly the failure login. I have tested this, with a simulation of ssh bruteforce attack. If there is any idea, i will be happy! Thanks! Regards, Josef.