Evidence: Failed Login Attempts
Description: Collect fail login attempts
Category: Applications
Platform: linux
Short Name: fla
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
On Linux, failed login attempts are typically recorded in the binary btmp file. These records capture usernames, TTY, source hosts, and timestamps, which are crucial indicators of brute-force attempts or misconfiguration.
Data Collected
This collector gathers structured data about failed login attempts.
Collection Method
This collector reads entries from /var/log/btmp using a Utmp scanner, converts them to structured records, and adds the raw file to protected content.
Forensic Value
Failed login telemetry reveals attack surface probing, credential stuffing, and mis-typed user behavior. It supports timeline reconstruction and correlation with authentication logs and network telemetry.
