All Apps and Add-ons

How can I monitor successful and failed logins on Linux servers?

New Member

Hi ,

How can I monitor Linux servers successful & failed logins? I have a forwarder and Splunk Add-on for Unix and Linux installed on the server.

0 Karma


You can get the failed ones like this:

index=os process=sshd eventtype=failed_login

0 Karma

Splunk Employee
Splunk Employee

Yes, just make sure you have permissions for the user running Splunk to your /var/log/ log directory and that you configure the Splunk_TA_nix inputs.conf [monitor:///var/log] enabled (This can be done via the GUI under the Apps menu
Apps->Splunk add-on for Nix

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>