Archive

Multiple Failed logins followed by a succesful login from the same user account

New Member

Inorder to track multiple login failure to a Linux machine followed by a successful login from the same user account. Howe can we achieve this using search query?

Similar way
multiple login failure to a Linux machine followed by a successful login from the same IP address.

Any help will be appreciated.

Log source: Linux logs

Tags (1)
0 Karma

New Member

The success event should search only if there are multiple failure from the same account. This will trigger or result even though a success event occurred in between multiple failure events?

0 Karma

Builder

index the log file which have all users/ip details of login successful and failure.

serach
your search|transaction user|table user status

where user is the user id in the logs and status is the failed or successful value , you need to extract these fields(user, status) from the logs.

change user with ip address to check successful login from the same IP address

0 Karma

New Member

The success event should search only if there are multiple failure from the same account. This will trigger or result even though a success event occurred in between multiple failure events?

0 Karma