Up until OS X 10.11 it was possible to view recent login failure events in the system log via:
cat /var/log/system.log | grep "Failed to authenticate"
Since 10.12, however these events no longer appear in this log. Assuming that they are now stored somewhere else, does anyone know where they are?
@amosdeane Did you ever figure this out? We're running High Sierra 10.13.4 and the log event suggested at the top of the post here doesn't exist anymore. Seems like a rather unreliable method to find failed auth atttempts. I'm trying to find a way to detect when the password is typed wrong 5x and the password policy from jamf locks the mac. We have no way to know when this happens right now as there isn't any type of notification built into jamf or even on the local machine.
@gachowski we've not really gone to High Sierra yet, so I've not looked at this that OS - I will check it out now, though. On Sierra I found the following command (and variations of) produced what I want:
sudo log show --style syslog --predicate 'eventMessage contains "Failed to authenticate user"' --info --last 1d
the "--last 1d" indicates within the last day so this would be adjusted based upon the search window