/var/log/faillog: Explanation & Insights

Records failed login attempts

The /var/log/faillog file is a system log file that records all failed login attempts in a Linux system. It is a key part of the system's security infrastructure, providing administrators with important information about unauthorized access attempts. This can be crucial in detecting potential security threats and mitigating them before they cause significant damage.

What does /var/log/faillog contain?

The /var/log/faillog file contains records of all failed login attempts. Each record in this file contains the following information:

  • Time of the failed attempt
  • User ID that was used
  • Terminal where the attempt was made

Here's an example of what an entry in the faillog might look like:

root ssh:notty sshd[12345]: Failed password for invalid user hacker from port 12345 ssh2

How to Use /var/log/faillog?

To read the /var/log/faillog file, you can use the faillog command. This command displays the contents of the faillog file in a more human-readable format. Here's an example:

faillog -u username

This command will display all failed login attempts for the user 'username'.

Why is /var/log/faillog Important?

The /var/log/faillog is important for several reasons. Firstly, it allows system administrators to identify failed login attempts, which could indicate a potential security threat. Secondly, it provides essential information needed for forensic analysis in case of a security breach. Lastly, it can be used as part of a security monitoring system to automatically detect and alert about excessive failed login attempts which could indicate a brute force attack.

Problems Diagnosed and Solved with /var/log/faillog

The /var/log/faillog file can help diagnose a variety of issues:

  • Unauthorized access attempts: If you notice a high number of failed login attempts from a single IP address or for a single user, this can indicate an unauthorized person trying to gain access to your system.

  • User account issues: If a legitimate user is consistently failing to log in, the faillog can help diagnose if there is an issue with their account, like a forgotten or expired password.


Understanding the /var/log/faillog file and knowing how to interpret its contents is crucial for maintaining the security of your Linux server. It provides a wealth of information about failed login attempts and can be a key tool in your security toolkit. Remember, staying informed about your system's activity is the first step towards safeguarding it against potential threats.

Except where otherwise noted, content on this site is licensed under a CC BY-SA 4.0 license CC BY SA