Finding Failed Login Attempts

VintageMacGuy
Contributor

For auditing purposes - is there a way to find failed login attempts on a Catalina or BigSur machine? It looks like there used to be, but no longer works as that info is now being hidden.

2 REPLIES 2

ljcacioppo
Contributor II

Not sure if you're looking for failed attempts for a specific user, but maybe this would help:

dscl . readpl /Users/$user accountPolicyData failedLoginCount | sed 's/failedLoginCount://'

JAMF Support found the following command, which seems to work, however shows the username as "<Private>":

“log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d”

 

They said using sudo would unmask the <private> tags and show the usernames, but that did not work for me on my BigSur 11.6 test Mac. 

However, I found a .mobileconfig file that uncloaked the usernames from the point of adding it forward. It had no effect on past entries.:
https://georgegarside.com/blog/macos/sierra-console-private/