Failed Login Attempts
Overview
Section titled “Overview”Evidence: Failed Login Attempts
Description: Collect fail login attempts
Category: Applications
Platform: linux
Short Name: fla
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”On Linux, failed login attempts are typically recorded in the binary btmp file. These records capture usernames, TTY, source hosts, and timestamps, which are crucial indicators of brute-force attempts or misconfiguration.
Data Collected
Section titled “Data Collected”This collector gathers structured data about failed login attempts.
Collection Method
Section titled “Collection Method”This collector reads entries from /var/log/btmp using a Utmp scanner, converts them to structured records, and adds the raw file to protected content.
Forensic Value
Section titled “Forensic Value”Failed login telemetry reveals attack surface probing, credential stuffing, and mis-typed user behavior. It supports timeline reconstruction and correlation with authentication logs and network telemetry.