Hi ,
How can I monitor Linux servers successful & failed logins? I have a forwarder and Splunk Add-on for Unix and Linux installed on the server.
You can get the failed ones like this:
index=os process=sshd eventtype=failed_login
Yes, just make sure you have permissions for the user running Splunk to your /var/log/ log directory and that you configure the Splunk_TA_nix inputs.conf [monitor:///var/log] enabled (This can be done via the GUI under the Apps menu
Apps->Splunk add-on for Nix
http://www.function1.com/2015/07/splunking-the-linux-audit-system