Finding Failed Login Attempts


For auditing purposes - is there a way to find failed login attempts on a Catalina or BigSur machine? It looks like there used to be, but no longer works as that info is now being hidden.


Contributor II

Not sure if you're looking for failed attempts for a specific user, but maybe this would help:

dscl . readpl /Users/$user accountPolicyData failedLoginCount | sed 's/failedLoginCount://'

JAMF Support found the following command, which seems to work, however shows the username as "<Private>":

“log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d”


They said using sudo would unmask the <private> tags and show the usernames, but that did not work for me on my BigSur 11.6 test Mac. 

However, I found a .mobileconfig file that uncloaked the usernames from the point of adding it forward. It had no effect on past entries.: