This displays a list of failed attempts against each connecting IP. Can be used to detect brute force from a particular source IP. You can then put a block up via ACL or whatever method you chose to mitigate the issue. The NOT clause on the first line ignore all attempts to logon to “invalid accounts”.
index=hosts "Failed password for " NOT "Failed password for invalid"
| rex "Failed\spassword\sfor\s(?<username>.*)\sfrom\s(?<source_ip>\d+.\d+.\d+.\d+)\sport\s(?<port>\d+)\s(?<protocol>.*)"
| stats count(source_ip) as "Failed Attempts" by source_ip
| iplocation source_ip
| sort - "Failed Attempts"
| table source_ip,"Failed Attempts",City,Country
Admin Notes: You’ll likely need to specify a different index and/or sourcetype.