Failed User Login

Enabled by default

Service: syslog

Log type: auth.log

Failed user logins can show possible password spray and password guessing attacks. Not every failed login is an attack, but they can be early indicators of one. This log is required by the PCI DSS regulation.

View Logs

grep failure /var/log/auth.log

Check Logging Status

Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!

Disable Logging

Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!

Enable Logging

Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!

Language: bash

Back to Linux Ubuntu

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

NSA Event Forwarding

Level: Recommended

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

JPCERT/CC

Level: Recommended

https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf

Linux calls this log authentication failure. To view this log in the GNOME logs viewer, search in the security tab for authentication or failure.

In order to view this log from the command line, enter the command grep failure /var/log/auth.log. If there are other failures in the auth.log, replace failure in the command with “authentication failure”.

Failed User Login

Enabled by default

Service: syslog

Log type: auth.log

Compliance

HIPAA

NSA Event Forwarding

JPCERT/CC

Additional References