I use this search:
index=_audit | dedup action | table action
and get these results:
Remote token requested
Notice a lack of "login attempt"
I'm sorry for necroing this post. I'm replying for other guys who would run into this question later.
Ok, there seems to be a bit of misunderstanding on action field in index=_audit.
There is a reason why we cannot do index=_audit action="login attempt"
When you look closely the actual events:
We get action=success
We get action=failure
So, yeah... In short, we do have those "login attempt" actions. It's just that we have underlying evals indicating whether the login action is a success or a failure.
Check _internal for http numbers related to access. 401 unauthorized, access denied, etc.
Combine that with _access and you'll come up with successful and unsuccessful logon attempts.
Also if you're interated with LDAP you can verify based on what you find happening in LDAP/AD logs.
Are you integrated with LDAP? If so check your active directory security logs. For successful/ unsuccessful attempts.
Another method might be checking the web access logs in _internal index.