That's a great point, but I get back to the root question: who's actually looking at this? If people are examining logs it's usually for a particular trigger or a problem and filtering that signal from the noise is hard.

Likely, nobody is directly looking at the logs.

But they might be using software that automatically raises an alert when it sees repeated login attempts for a valid username.

Isn't that one of the purposes of Splunk?

It's more typical of the servers-as-pets than servers-as-cattle scenario, but sometimes one is simply curious [or extra cautious]. SSH honeypots exist at least in part for this reason.

> servers-as-pets This is a great way to put it.

> who's actually looking at this?

Well, your security team, post incident. But also automated systems like fail2ban.

And log-collectors like Splunk (with configured alerts, etc)

grep and zgrep will work wonders for checking for actual usernames in these logs even if they have significant amount of spam in them.

>but what if suddenly lots and lots of valid user names appear?

then what are you going to do?

Well that would highly depend on what I'm seeing. If it's a single user there might be an attack on the way against that user. If it's multiple users, there might have been a compromise of some credentials.

It's definitely something you need to investigate.

At a minimum, spend some of my limited time and attention on this issue rather than the 100s of other things that might be clamoring for my time.

What are you going to do to solve that issue?