If have configured the
net.tcp.service[ssh]
item and added a trigger expression like this:
{axx_linux_base:net.tcp.service[ssh].last(0)}
=0
What I am seeing is that sometimes this trigger fires, even though ssh is up and running. It happens only occasionally.
When it happens I see an entry in /var/log/secure of the form
Aug 1 13:26:45 localhost sshd[8492]: Did not receive identification string from 127.0.0.1