Failed Login Attempts

Overview

Evidence: Failed Login Attempts Description: Collect fail login attempts Category: Applications Platform: linux Short Name: fla Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

On Linux, failed login attempts are typically recorded in the binary btmp file. These records capture usernames, TTY, source hosts, and timestamps, which are crucial indicators of brute-force attempts or misconfiguration.

Data Collected

This collector gathers structured data about failed login attempts.

Collection Method

This collector reads entries from /var/log/btmp using a Utmp scanner, converts them to structured records, and adds the raw file to protected content.

Forensic Value

Failed login telemetry reveals attack surface probing, credential stuffing, and mis-typed user behavior. It supports timeline reconstruction and correlation with authentication logs and network telemetry.