Account Lockout Event - No Username Included

Latest response

Hi All,

I have configured some of my systems for PAM_TALLY2 events on Red Hat 6.5. With syslog and auditd running and the password-auth file configured as following:

auth required pam_tally2.so deny=3 onerr=fail lock_timeout=300

account required pam_tally2.so

I am receiving the events for the account lockouts in the var/log/messages which include 'type=RESP_ACCT_LOCK' as expected. However there is no username information with the event.

My question, is it possible to configure the system so the event does include the offending username? This is required as I am developing use case rules within ArcSight.

Thanks in advance.

Sean.

Responses

Sean, you can get that data from the audit log using the aureport command like so: aureport -au -i --failed

The raw data must be in the audit log assuming that audit is enabled.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.