Finding Failed Login Attempts

As role admin at label admin_high, enter -lo as the value of the -c option to auditreduce(1M).

$ auditreduce -c -lo -O /usr/audit_summary/logins_failed

The value "-lo" is the audit flag for failed (-) login (audit class lo) attempts. The command produces a binary file in the /usr/audit_summary directory with all failed login attempts on the distributed system. The /usr/audit_summary directory is labeled admin_high.

/usr/audit_summary/19970313120429.19970613120415.logins_failed

Note -

This command works only if the security administrator has preselected failed logins for the workstation, distributed system, or users.

Previous: Workstations are Being Audited Differently
Next: Appendix A Event-to-Class Mappings