Posted on 05-30-2017 07:50 AM
Up until OS X 10.11 it was possible to view recent login failure events in the system log via:
cat /var/log/system.log | grep "Failed to authenticate"
Since 10.12, however these events no longer appear in this log. Assuming that they are now stored somewhere else, does anyone know where they are?
Posted on 05-30-2017 10:02 AM
@amosdeane .. try running this command.. log show --predicate '(eventMessage CONTAINS "maximum authentication attempts exceeded")' --style syslog —info
You can also take a look at this and also here to get the info I just got in order to show logs for 10.12.. Hope this was helpful
Posted on 05-30-2017 12:22 PM
If login and logout events are audited ("lo" flag is set in in /etc/security/audit_control), then you can run praudit -x /var/audit/[file] to get xml representation of audit logs and you should be able to find login events in there including wrong password, too many attempts, etc.
Posted on 05-30-2017 12:51 PM
If login/logout events are audited (i.e. "lo" flag is listed in /etc/security/audit_control), then you should be able to find those events in audit files (/var/audit/).
sudo praudit -x /var/audit/[file]
Posted on 05-31-2017 02:46 AM
Many thanks for the different suggestions, and the links. That gives me a lot to work with.
Posted on 05-03-2018 02:56 PM
@amosdeane Did you ever figure this out? We're running High Sierra 10.13.4 and the log event suggested at the top of the post here doesn't exist anymore. Seems like a rather unreliable method to find failed auth atttempts. I'm trying to find a way to detect when the password is typed wrong 5x and the password policy from jamf locks the mac. We have no way to know when this happens right now as there isn't any type of notification built into jamf or even on the local machine.
Posted on 05-03-2018 03:01 PM
In Sierra if you got the log right after 5 tries it would say that your account is locked please contact you administrator. You are not seeing that in HS?
Thanks
C
Posted on 05-22-2018 08:56 AM
@gachowski I am NOT seeing this. Are we supposed to see this message on the login page of the mac? That would be a perfect solution we don't actually need to be notified if the user knows to contact the helpdesk. Is there a way to show this on the login page of a non-domain-joined mac?
Posted on 08-02-2018 07:23 AM
@gachowski we've not really gone to High Sierra yet, so I've not looked at this that OS - I will check it out now, though. On Sierra I found the following command (and variations of) produced what I want:
sudo log show --style syslog --predicate 'eventMessage contains "Failed to authenticate user"' --info --last 1d
the "--last 1d" indicates within the last day so this would be adjusted based upon the search window