Account Lockout Event - No Username Included

Hi All,

I have configured some of my systems for PAM_TALLY2 events on Red Hat 6.5. With syslog and auditd running and the password-auth file configured as following:

auth required pam_tally2.so deny=3 onerr=fail lock_timeout=300

account required pam_tally2.so

I am receiving the events for the account lockouts in the var/log/messages which include 'type=RESP_ACCT_LOCK' as expected. However there is no username information with the event.

My question, is it possible to configure the system so the event does include the offending username? This is required as I am developing use case rules within ArcSight.

Thanks in advance.

Sean.