Linux Auth Monitoring with Splunk

Authentication logs are one of the highest-signal data sources on a Linux host. This lab forwards them into Splunk and builds searches that turn a stream of raw events into a small set of detections worth acting on.

Failed logins are constant background noise. The challenge is separating an ordinary failure from a pattern — a burst of attempts against one account, or repeated failures from a single source — without drowning in alerts.

Linux hosts forward auth events to Splunk. Searches parse the relevant fields and aggregate by source IP, user, and time window to surface brute-force behaviour.

The work focuses on early detection of credential attacks against SSH, the most commonly exposed service on a Linux box.

Field extraction and threshold tuning took the most care — too sensitive and the detection is noise, too loose and a slow attack slips through.

A good detection is a small, legible search backed by a clear question. Starting from what does an attack look like in this data produces better results than alerting on everything.