Monitor failed logins in Postgres
Catch the login failures that look like an attack — repeated misses from one address — with geo and network context attached before they reach you.
01source
02pipeline · 3 steps
- 01CTLfilter.matchattempt ≥ 5 only
- 02ENRenrich.entityip → geo · asn · known-bad
- 03MUTredact.piimask email before posting
03destinations · 1
- towarehouse.pgPostgrestableevents.signups
the event
You emit login.failed with this shape. The TypeScript SDK keeps the call type-safe, and the event is stored whole — so every field below is available to the pipeline by name.
- emailstring
- ipstring
- reasonstringbad-password | locked | mfa
- attemptnumberconsecutive misses
emit it
From your code with the TypeScript SDK — or any language over the REST endpoint and signed webhook ingress.
import { ingest } from "@ingestlayer/sdk";
await ingest("login.failed", {
email: creds.email,
ip: req.ip,
reason: result.reason,
attempt: result.consecutive,
});route it to Postgres
Insert each event as a row into a table in your own Postgres.
- 01
add the connection
Paste a Postgres connection string. Connections originate from our EU region — allowlist those egress IPs on your database.
- 02
point at a table
Name the target table. Top-level event fields map to columns, and the full payload is also available as a jsonb column.
- 03
map columns
Match event fields to columns with $event.* references, or accept the default mapping into a typed events table.
INSERT INTO events.signups
(user_id, email, plan, source, payload)
VALUES
('u_018f', 'ada@acme.com', 'pro',
'marketing-site', '{ … }'::jsonb);notes
- The target table must already exist with compatible column types; ingestlayer never runs DDL on your database.
- Connections come from fixed EU egress IPs — add them to your firewall, or inserts will time out.
- Use a jsonb column for the full payload when your event shape changes often, so a new field never breaks the insert.
questions
- How do I avoid alerting on typos?
- Filter on the attempt count so a single fat-fingered password stays quiet and only sustained failures escalate.
- Where does the geo come from?
- enrich.entity resolves the IP to geo, ASN, and a known-bad flag in flight, so the alert carries the context to act on.
- Is it safe to post emails to a channel?
- redact.pii masks the email for the chat destination while the full record still lands in your audit table.
failed logins, routed elsewhere
- Monitor failed logins in SlackSlack
- Monitor failed logins in DiscordDiscord
- Monitor failed logins in TelegramTelegram
- Monitor failed logins in EmailEmail
- Monitor failed logins in WebhookWebhook
- Monitor failed logins in NotionNotion
more, into Postgres
- Track user signups in Postgrestrack
- Monitor failed payments in Postgresmonitor
- Route support escalations in Postgresalert
- Track waitlist signups in Postgrestrack
- Track new subscriptions in Postgrestrack
- Track canceled subscriptions in Postgrestrack
- Track successful payments in Postgrestrack
- Track trial conversions in Postgrestrack
- Track form submissions in Postgrestrack
- Track feature usage in Postgrestrack
- Track file uploads in Postgrestrack
- Monitor usage-limit hits in Postgresmonitor
- Monitor error spikes in Postgresmonitor
- Monitor cron-job health in Postgresmonitor
- Monitor CI/CD build status in Postgresmonitor
- Flag high-value leads in Postgresalert
- Catch churn-risk signals in Postgresalert
- everything you can pipe to Postgreshub