# Failed Login Attempts

## Overview

**Evidence:** Failed Login Attempts\
**Description:** Collect fail login attempts\
**Category:** Applications\
**Platform:** linux\
**Short Name:** fla\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

On Linux, failed login attempts are typically recorded in the binary btmp file. These records capture usernames, TTY, source hosts, and timestamps, which are crucial indicators of brute-force attempts or misconfiguration.

## Data Collected

This collector gathers structured data about failed login attempts.

## Collection Method

This collector reads entries from /var/log/btmp using a Utmp scanner, converts them to structured records, and adds the raw file to protected content.

## Forensic Value

Failed login telemetry reveals attack surface probing, credential stuffing, and mis-typed user behavior. It supports timeline reconstruction and correlation with authentication logs and network telemetry.