Does Syspeace detect login attempts from every program or every web site running on my server?
Syspeace detects login attempts by knowing how to read logs that contain information about login attempts. Anything that triggers these logs, Syspeace can detect. With the built-in support, Syspeace can detect logs from Windows login, the SMTP Exchange connector and SQL Server. Syspeace can also be amended with other detectors to provide support for other things – see the Syspeace Detector SDK for information on how to develop a detector.
With the help of some code changes and integration, Syspeace can detect login attempts from programs and web sites running on the same server. It involves installing a Syspeace plugin called the Web detector, which listens for information about login attempts from other pieces of software called “reporters”, baked into the login process of another program or web site. Syspeace provides templates for reporters and WordPress reporter plugin – see the Syspeace Detector SDK.
Syspeace can usually not detect login attempts from web sites without modification. In some cases, some web sites cause other forms of login that are recorded by Syspeace. For example, Outlook Web Access/Outlook Web App causes Windows login attempts to be logged for the corresponding Active Directory domain account.
Syspeace can definitely not detect login failures on web sites in a generic form – even though web servers like Microsoft’s IIS have logs, they do not contain enough or dependable enough information to be able to consistently detect a login failure without false positives. The closest the log comes to containing actual content being sent back to the user is that it contains a HTTP status code, and while there are status codes that in theory could be used to associate the page sent back to the user as a failed login, the status code more commonly is used to define whether the process of serving the page was successful. A “could not log in” page is most commonly sent back with the status code “200 OK”, meaning that the page was successfully generated and served by the server.