linux-failed-logins
Parses the /var/log/btmp file to query the login failure history on a Linux system. Returns the time, username, and source IP address of each failed login attempt as structured fields.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | Administrator |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
ignore-error=BOOL- How to handle errors when the
/var/log/btmpfile cannot be read. (Default:f)
t: Ignores the error and returns an empty result.f: Raises an error and aborts query execution.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Login failure time |
user | string | Username of the login attempt |
src_ip | ipaddr | Remote IP address of the login attempt. Returns null for local attempts. |
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
| 95040 | no-read-permission | Executed without administrator privileges |
Runtime errors
| Error code | Message | Description | Action on error |
|---|---|---|---|
| - | - | The /var/log/btmp file could not be read | If ignore-error=t, returns empty result and exits normally. Otherwise, aborts query execution. |
Description
The linux-failed-logins command parses the /var/log/btmp file in binary format to extract the login failure history. The btmp file records all failed login attempts and can be used for security analysis such as brute-force attack detection.
The /var/log/btmp file is owned by root:utmp and has restricted read permissions by default, so an error occurs if there are insufficient file access permissions. In this case, use the ignore-error=t option to ignore the error and return an empty result.
Examples
-
Query all login failure history
linux-failed-loginsQueries all login failure history on the system.
-
Query with the ignore-error option
linux-failed-logins ignore-error=tReturns an empty result without an error even if the
/var/log/btmpfile cannot be read. -
Query failed attempts for a specific user
linux-failed-logins | search user == "root"Filters only login failure attempts for the
rootuser. -
Aggregate failure count by IP address
linux-failed-logins | stats count by src_ip | sort -countAggregates login failure counts by source IP address to identify IPs with many failures.