This Splunk search will show a count of all user accounts and a number of times they have attempted to logon. The REGEX is written into the query, remove it if you are already extracting those field names:
sourcetype=linux_secure
| rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?gdm-\w+)\S:\s"
| search session=gdm-password
| rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?\S+)\s.+\Sgdm-password:auth\S:\s(?\w+\s\w+);\s.+user=(?\S+)"
| search authstatus="authentication failure"
| stats count by username
| sort - count
or do a count by source IP and map them ” | iplocation src_ip | geostats count by src_ip”. See the country of origin for your attacks on a map!
This is assuming that GDM is the interface fronting the login?
its not working at all…..why?
sourcetype=linux_secure
| rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?gdm-\w+)\S:\s”
| search session=gdm-password
| rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?\S+)\s.+\Sgdm-password:auth\S:\s(?\w+\s\w+);\s.+user=(?\S+)”
| search authstatus=”authentication failure”
| stats count by username
| sort – count