Skip to main content

Up until OS X 10.11 it was possible to view recent login failure events in the system log via:

cat /var/log/system.log | grep "Failed to authenticate"

Since 10.12, however these events no longer appear in this log. Assuming that they are now stored somewhere else, does anyone know where they are?

@amosdeane .. try running this command.. log show --predicate '(eventMessage CONTAINS "maximum authentication attempts exceeded")' --style syslog —info

You can also take a look at this and also here to get the info I just got in order to show logs for 10.12.. Hope this was helpful


If login and logout events are audited ("lo" flag is set in in /etc/security/audit_control), then you can run praudit -x /var/audit/[file] to get xml representation of audit logs and you should be able to find login events in there including wrong password, too many attempts, etc.


If login/logout events are audited (i.e. "lo" flag is listed in /etc/security/audit_control), then you should be able to find those events in audit files (/var/audit/).

sudo praudit -x /var/audit/[file]


Many thanks for the different suggestions, and the links. That gives me a lot to work with.


@amosdeane Did you ever figure this out? We're running High Sierra 10.13.4 and the log event suggested at the top of the post here doesn't exist anymore. Seems like a rather unreliable method to find failed auth atttempts. I'm trying to find a way to detect when the password is typed wrong 5x and the password policy from jamf locks the mac. We have no way to know when this happens right now as there isn't any type of notification built into jamf or even on the local machine.


@ktwingstrom

In Sierra if you got the log right after 5 tries it would say that your account is locked please contact you administrator. You are not seeing that in HS?

Thanks

C


@gachowski I am NOT seeing this. Are we supposed to see this message on the login page of the mac? That would be a perfect solution we don't actually need to be notified if the user knows to contact the helpdesk. Is there a way to show this on the login page of a non-domain-joined mac?


@gachowski we've not really gone to High Sierra yet, so I've not looked at this that OS - I will check it out now, though. On Sierra I found the following command (and variations of) produced what I want:

sudo log show --style syslog --predicate 'eventMessage contains "Failed to authenticate user"' --info --last 1d

the "--last 1d" indicates within the last day so this would be adjusted based upon the search window