Login attempt history?

Sonic84
Contributor III

Hello, does macOS 10.13 keep an authentication log anywhere? I don't see the accountpolicy.log in /var/log anymore... so Im assuming Apple moved it into log facility?

I need to audit a Mac for login success/fail attempts at the screensaver/login window. Any help would be appreciated!

4 REPLIES 4

davidacland
Honored Contributor II

you might be able to get the information from the log command-line tool. Something like this:

log show --last 300 --predicate 'eventMessage contains "Failed to authenticate user"' | grep "Failed to authenticate user"

ktwingstrom
New Contributor

So I've got the same issue. I have a sort of similar solution. I use the log tool to grep for a specific line that specifies when a user attempts to login on a machine that is locked out. Unfortunately today we got a false positive so apparently this event is generated by more than just authentication attempts against a locked machine. FWIW here is the command I'm running:

log show --style syslog --last 60s | grep -i 'FailedsAuthenticationsPolicy'

This searches through the logs over the last 60 seconds for the regex in the single quotes. You can do any regex you like with grep. I think there's a way to use the above using 'eventMessage' but I couldn't get that to work so I use grep. I know it's not the same thing you are looking for but it's similar and might give you some ideas.

dan-snelson
Valued Contributor II

@Sonic84 We're using the following as an Extension Attribute for failed logins within the last 24 hours:

#!/bin/bash

# Extension Attribute to determine the number of failed login attempts during a specified duration
# See: log help show

searchDuration="24h"  # [--last <num>[m|h|d] ]

failedLoginAttempts=$( /usr/bin/log show --last "${searchDuration}" --style syslog --predicate 'eventMessage contains "Failed to authenticate user"' | /usr/bin/wc -l | /usr/bin/tr -d ' ' )

echo "<result>$failedLoginAttempts</result>"

exit 0

dlondon
Valued Contributor

When I just use a general form of the log  show command I get output like this:

log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog
Filtering the log data using "composedMessage CONTAINS "Authentication failed""
Skipping info and debug messages, pass --info and/or --debug to include.
Timestamp (process)[PID]
2024-04-02 08:39:10.906297+0800 localhost opendirectoryd[170]: (PlistFile) [com.apple.opendirectoryd:auth] Authentication failed for <private> (907B8838-1A52-4DD3-A0DD-EF183620FED5): ODErrorCredentialsInvalid
2024-04-02 10:35:28.279550+0800 localhost opendirectoryd[170]: (PlistFile) [com.apple.opendirectoryd:auth] Authentication failed for <private> (CA986D08-8CB4-43C5-ABAB-18644A29C97C): ODErrorCredentialsInvalid

Is there a way to unhide <private> ?