loginlog - log of failed login attempts
After multiple unsuccessful login attempts in a row in the same invocation of login(1), all the attempts are logged in the file /var/adm/loginlog. The number of attempts is controlled by the RETRIES property in /etc/default/login and defaults to 5.
This plain text file contains one record for each failed attempt. Each record contains the login name, tty specification, and time. Each field within each entry is separated from the next by a colon. Each entry is separated from the next by a newline.
By default, loginlog does not exist, so logging is only done via syslog. To enable loginlog, the log file must be created with read and write permission for owner only, and the owner must be root and the group must be sys.
Use of the lo class audit records in Solaris Auditing is recommended over the creation of loginlog as the audit records are captured from a wider range of login methods and are more complete than the data recorded in loginlog.