8

I've tried the following commands:

syslog -F raw -k Facility com.apple.system.lastlog | grep <my_username>
cat /var/log/asl.log (DOES NOT WORK ON HighSierra)
who

Thanks to Scot, the following command works:

log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d

The problem with this is that it does not give me the username of the account trying to be accessed.

Does anyone of any bash/Python programs or Terminal commands that will give me my failed login attempts (graphical login/ssh)?

See more info here

H. Kamran
  • 183

3 Answers3

5

You can retrieve the failed login with a command like the following:

For streaming data:

log stream --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog

Or, failed logins in last hour:

log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1h

But, this won't show the username for the failed request, only that a failure occurred.

Scot
  • 8,045
  • This should be what I need...I'll test it first. Running test now. – H. Kamran Apr 21 '18 at 01:36
  • This command takes too long to run! After 20-ish hours, it still hasn't picked up any fails, even though I purposefully entered some characters wrong. – H. Kamran Apr 21 '18 at 22:30
  • Hmm - it should be virtually instant. And, the log show command should pick up any failures that have happened previously. Try the below command, it takes a few seconds to run on my machine. – Scot Apr 22 '18 at 04:58
  • 2
    log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d – Scot Apr 22 '18 at 04:59
  • The above commands should show all failures that occurred in the last day, so your previous tests should come up... – Scot Apr 22 '18 at 05:00
  • Running your command now. Alright, now that it is done, it gives me the results (VERY FAST), BUT is there a way to get the username that was attempting to be accessed? – H. Kamran Apr 27 '18 at 00:23
4

I wanted to see Username of the failed and successful login attempts on my Mac High Sierra and ended up posting another question on SE. Later I found the answer and updated that post.

If you're still looking for a way to see usernames in logs then you need to turn on "private" mode for logs. Here is the command to do that:

sudo log config --mode "private_data:on"

Here is my post where I've posted this answer already:

Mac OS High Sierra how to see Username for the failed login attempt

Curious101
  • 286
0

It doesn't seem like Apple logs every login failure, or at least I'm not seeing a log with all login failures. I locked my screen and failed to log in and it didn't seem to record it anywhere.

However, the file /private/var/log/system.log does have some authentication failures listed.

Apr 16 20:22:34 My-MacBook-Pro sudo[50638]: username : 3 incorrect password attempts ; TTY=ttys000 ; PWD=/Users/username ; USER=root ; COMMAND=/usr/bin/su

You'll also see these messages in Console.app

Console.app login failure

freehunter
  • 101
  • Processing the log files isn't a great strategy now that Apple's unified logging is database driven. See Scott's answer on using the log command to stream and search the logs for these details. No -1 since you clearly offered help, just can't +1 this answer as it stands. – bmike Apr 17 '18 at 01:02