Monitor Security Logs for Failed Login Attempts with Slack Alerts

How It Works: The 5-Node Anomaly Detection Flow

This workflow efficiently processes logs to detect anomalies.

Scheduled Check (Cron Node): This is the primary trigger. It schedules the workflow to run at a defined interval (e.g., every 15 minutes), ensuring logs are routinely scanned for suspicious activity.

Fetch Logs (HTTP Request Node): This node is responsible for retrieving logs from an external source. It sends a request to your log API endpoint to get a batch of the most recent logs.

Count Failed Logins (Code Node): This is the core of the detection logic. The JavaScript code filters the logs for a specific event ("login_failure"), counts the total, and identifies unique IPs involved. This information is then passed to the next node.

Failed Logins > Threshold? (If Node): This node serves as the final filter. It checks if the number of failed logins exceeds a threshold you set (e.g., more than 5 attempts). If it does, the workflow is routed to the notification node; if not, the workflow ends safely.

Send Anomaly Alert (Slack Node): This node sends an alert to your team if an anomaly is detected. The Slack message includes a summary of the anomaly, such as the number of failed attempts and the IPs involved, enabling a swift response.

How to Set Up

Implementing this essential log anomaly detector in your n8n instance is quick and straightforward.

Prepare Your Credentials & API: Log API: Make sure you have an API endpoint or a way to get logs from your system (e.g., a server, CMS, or application). The logs should be in JSON format, and you'll need any necessary API keys or tokens. Slack Credential: Set up a Slack credential in n8n and get the Channel ID of your security alert channel (e.g., #security-alerts).

Import the Workflow JSON: Create a new workflow in n8n and choose "Import from JSON." Paste the JSON code (which was provided in a previous response).

Configure the Nodes: Scheduled Check (Cron): Set the schedule according to your preference (e.g., every 15 minutes). Fetch Logs (HTTP Request): Update the URL and header/authentication to match your specific log API endpoint. Count Failed Logins (Code): Verify that the JavaScript code matches your log's JSON format. You may need to adjust log.event === 'login_failure' if your log events use a different name. Failed Logins > Threshold? (If): Adjust the threshold value (e.g., 5) based on your risk tolerance. Send Anomaly Alert (Slack): Select your Slack credential and enter the correct Channel ID.

Test and Activate: Manual Test: Run the workflow manually to confirm it fetches logs and processes them correctly. You can temporarily lower the threshold to 0 to ensure the alert is triggered. Verify Output: Check your Slack channel to confirm that alerts are formatted and sent correctly. Activate: Once you're confident in its function, activate the workflow. n8n will now automatically monitor your logs on the schedule you set.