All Apps and Add-ons

How can I monitor successful and failed logins on Linux servers?

New Member

Hi ,

How can I monitor Linux servers successful & failed logins? I have a forwarder and Splunk Add-on for Unix and Linux installed on the server.

0 Karma

Motivator

You can get the failed ones like this:

index=os process=sshd eventtype=failed_login

0 Karma

Splunk Employee
Splunk Employee

Yes, just make sure you have permissions for the user running Splunk to your /var/log/ log directory and that you configure the Splunk_TA_nix inputs.conf [monitor:///var/log] enabled (This can be done via the GUI under the Apps menu
Apps->Splunk add-on for Nix

http://www.function1.com/2015/07/splunking-the-linux-audit-system

0 Karma