Who wishes they had sudo access? Who has sudo access but always fat-fingers their password? This query will help you answer these burning questions and maybe find somebody doing something sneaky.
The Query:
tag=syslog words authentication failure
| syslog Appname==sudo Message Hostname
| regex -e Message "authentication failure; (?P<kv>.+)"
| kv -e kv -sep = user
| stats count by user Hostname
| table user Hostname count
(Image credit: xkcd https://xkcd.com/838/)
