Help

Finding Failed Login Attempts

VintageMacGuy
Contributor II

Posted on ‎10-15-2021 10:00 AM

For auditing purposes - is there a way to find failed login attempts on a Catalina or BigSur machine? It looks like there used to be, but no longer works as that info is now being hidden.

0 Kudos
Reply
2 REPLIES 2

ljcacioppo
Contributor III

Posted on ‎10-15-2021 01:02 PM

Not sure if you're looking for failed attempts for a specific user, but maybe this would help:

dscl . readpl /Users/$user accountPolicyData failedLoginCount | sed 's/failedLoginCount://'
0 Kudos
Reply

VintageMacGuy
Contributor II
In response to ljcacioppo

Posted on ‎10-15-2021 02:35 PM

JAMF Support found the following command, which seems to work, however shows the username as "<Private>":

“log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d”

 

They said using sudo would unmask the <private> tags and show the usernames, but that did not work for me on my BigSur 11.6 test Mac. 

However, I found a .mobileconfig file that uncloaked the usernames from the point of adding it forward. It had no effect on past entries.:
https://georgegarside.com/blog/macos/sierra-console-private/

0 Kudos
Reply