Trusted Solaris Audit Administration

Finding Failed Login Attempts

    As role admin at label admin_high, enter -lo as the value of the -c option to auditreduce(1M).


    $ auditreduce -c -lo -O /usr/audit_summary/logins_failed
    

    The value "-lo" is the audit flag for failed (-) login (audit class lo) attempts. The command produces a binary file in the /usr/audit_summary directory with all failed login attempts on the distributed system. The /usr/audit_summary directory is labeled admin_high.

    /usr/audit_summary/19970313120429.19970613120415.logins_failed


    Note -

    This command works only if the security administrator has preselected failed logins for the workstation, distributed system, or users.