diff --git a/files/ssh/etc/filter-syslog/ssh b/files/ssh/etc/filter-syslog/ssh
index 6e23b821ebea303bc84048b5e1f71e74672c95d0..1c4e6c6712f968c93889e7af89223b600dff33af 100644
--- a/files/ssh/etc/filter-syslog/ssh
+++ b/files/ssh/etc/filter-syslog/ssh
@@ -56,8 +56,10 @@ sshd: /^refused connect from (::ffff:)?171\.67\.22\.12 /
 sshd: / authentication failure; .* rhost=(scan1|inspect(2-scan)?)\.stanford/
 sshd: /^Postponed \S+ for invalid user \S+ from (::ffff:)?171\.67\.22\.12 /
 sshd: /^Postponed \S+ for \S+ from (::ffff:)?171\.67\.22\.12 /
-# Ignore noise on ubuntu from nessus scan
-sshd: /^Disconnecting: Too many authentication failures for (n3ssus|root|admin|manage|cisco|monitor|Cisco|ftp)$/
+
+# Ignore the logged disconnect message.  (We'll still get individual
+# authentication failures from compromised systems.)
+sshd: /^Disconnecting: Too many authentication failures for \S+$/
 
 # Ignore failed logins by IDG, Systems, and other ITS staff.  We all mistype
 # passwords occasionally.