The following splunk query will return results on users who made unsuccessful attempts to login to an OSX machine: sourcetype=osx_secure | rex “authinternal\sfailed\sto\sauthenticate\suser\s(?\S+)” |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by USER, host, Date | sort – count
Gauge of Windows Failed Logons
Gauge of Windows Failed Logons. Adjust the gauge to meet your environments needs. sourcetype=”WinEventLog:Security” (“EventCode=4625”) OR (“EventCode=529” OR “EventCode=530” OR “EventCode=531” OR “EventCode=532” OR “EventCode=533” OR “EventCode=534” OR “EventCode=535” OR “EventCode=536” OR “EventCode=537” OR “EventCode=539”) (Logon_Type=*) | stats count(user) as Failed_Logon | gauge Failed_Logon 1 25 50 150