View login failures in logs

amosdeane
New Contributor III

Up until OS X 10.11 it was possible to view recent login failure events in the system log via:

cat /var/log/system.log | grep "Failed to authenticate"

Since 10.12, however these events no longer appear in this log. Assuming that they are now stored somewhere else, does anyone know where they are?

8 REPLIES 8

JustDeWon
Contributor III

@amosdeane .. try running this command.. log show --predicate '(eventMessage CONTAINS "maximum authentication attempts exceeded")' --style syslog —info

You can also take a look at this and also here to get the info I just got in order to show logs for 10.12.. Hope this was helpful

Zanoski
New Contributor II

If login and logout events are audited ("lo" flag is set in in /etc/security/audit_control), then you can run praudit -x /var/audit/[file] to get xml representation of audit logs and you should be able to find login events in there including wrong password, too many attempts, etc.

maza
New Contributor

If login/logout events are audited (i.e. "lo" flag is listed in /etc/security/audit_control), then you should be able to find those events in audit files (/var/audit/).

sudo praudit -x /var/audit/[file]

amosdeane
New Contributor III

Many thanks for the different suggestions, and the links. That gives me a lot to work with.

ktwingstrom
New Contributor

@amosdeane Did you ever figure this out? We're running High Sierra 10.13.4 and the log event suggested at the top of the post here doesn't exist anymore. Seems like a rather unreliable method to find failed auth atttempts. I'm trying to find a way to detect when the password is typed wrong 5x and the password policy from jamf locks the mac. We have no way to know when this happens right now as there isn't any type of notification built into jamf or even on the local machine.

gachowski
Valued Contributor II

@ktwingstrom

In Sierra if you got the log right after 5 tries it would say that your account is locked please contact you administrator. You are not seeing that in HS?

Thanks

C

ktwingstrom
New Contributor

@gachowski I am NOT seeing this. Are we supposed to see this message on the login page of the mac? That would be a perfect solution we don't actually need to be notified if the user knows to contact the helpdesk. Is there a way to show this on the login page of a non-domain-joined mac?

amosdeane
New Contributor III

@gachowski we've not really gone to High Sierra yet, so I've not looked at this that OS - I will check it out now, though. On Sierra I found the following command (and variations of) produced what I want:

sudo log show --style syslog --predicate 'eventMessage contains "Failed to authenticate user"' --info --last 1d

the "--last 1d" indicates within the last day so this would be adjusted based upon the search window