You want /var/log/auth.log
, not syslog.
It'll contain lines like like this:
Mar 20 10:47:24 Opus su[15918]: pam_unix(su:auth): authentication failure; logname=lfaraone uid=1000 euid=0 tty=/dev/pts/25 ruser=lfaraone rhost= user=root
Basic, naive code to accomplish the problem would be as follows:
loginattempts = {"root": 0,
"someuser": 0,} # Usernames you want to check
with open('/var/log/auth.log', 'r') as authlog:
for line in authlog:
if "authentication failure" in line:
username = line.split('=')[-1] # split the string into an array,
# using '=' as the delimiter
if username in loginattempts: # is the username one we care about?
loginattempts[username] += 1
Like user calmh suggested, it will probably be better long-term to parse with regular expressions, but if you don't know them already, it can be non-trivial to learn.