🛡️ How I Built a Splunk Dashboard to Detect Failed SSH Logins on Ubuntu

Tools used: Splunk Enterprise, Ubuntu Server, VirtualBox, auth.log

  • Launch VirtualBox and start your Ubuntu Server VM.
  • Ensure Splunk Enterprise is installed on the same VM or a separate Ubuntu VM.

  1. Download Splunk Enterprise .deb from splunk.com.
  2. Install it with: 
    sudo dpkg -i splunkfilename.deb
  3. Start and accept license: 
    sudo /opt/splunk/bin/splunk start --accept-license
  4. Log into Splunk Web at http://localhost:8000

  • From a terminal, run: ssh testuser@your_vm_ip
  • Enter the wrong password multiple times (10+).
  • Verify logs with: 
    grep "Failed password" /var/log/auth.log

  1. Go to Splunk Web → Settings → Add Data
  2. Select "Monitor" → "Files & Directories"
  3. Enter /var/log/auth.log
  4. Set source type to linux_secure or custom
  5. Assign it to the main index

Use the following SPL query in the search bar:

index=main "Failed password" sourcetype=linux_secure

Create a new dashboard and add these panels:

Panel 1 – Most failed attempts by IP and user:

index=main "Failed password"
| rex "from (?<ip>\d{1,3}(?:\.\d{1,3}){3})"
| stats count by ip, user
| sort - count

Panel 2 – Timechart of failed attempts:

index=main "Failed password"
| timechart count by host

Set up an alert for high-frequency login failures:

index=main "Failed password"
| stats count by ip
| where count > 5

Save it as an alert in Splunk and set your trigger actions (email, dashboard, etc).

This hands-on project helped me gain experience with log monitoring, threat detection, and SPL.