Hi, can anyone provide an example query that tracks failed ssh attempts on linux? I couldn't find a table that stores this info. I'm about to try creating a lense for /var/log/auth.log and getting the info that way but wonder if there is an easier approach.

I had to resort to Apple Unified Logs for this same use case on macOS

I'm not aware of a place the OS stores this. There might be an event somewhere, otherwise it's log parsing.

After doing some more research, it looks like augeas lenses are meant for parsing standard configuration files rather than logs, so it won't work. Probably best to craete a new osquery table module that parses and stores the content of the target log file.