Account Lockout Recorded in System Logs?
 

Very new to Linux.

I'm using RHEL 2.4 and could not find any record of accounts that were locked out due to unsuccessful logins other than in it was documented in the the /var/log/faillog.

By default, does the Linux System Log record account lockouts and in which System Log, Audit, Message or Security? What trigger words should I look for, example account locked?

The accounts do reflect in the faillog and the System Logs show authentication failures but I was just wondering if it was documented somewhere other than the faillog.

A million thanks:)
John

According to this http://www.redhat.com/security/updates/errata/ there's no such thing as RHEL 2.4; sounds like the kernel version, not the release.
Please show

uname -a

cat /etc/redhat-release

Reponse to typing commands
 

After I type:

uname -a

The return is:
Linux localhost.localdomain 2.6.9-67/0.15.Elsmp #1 SMP Tue Apr 22 13:58 EDT2

After I type:
cat /etc/redhat-release

The return is:
Red Hat Enterprise Linux WS Release 4 (Nahant)

Thanks
John

pam_tally
 

Should myfoucus be on pam_tally and modify the /etc/pam.d/login file:

auth required pam_tally.so file=/path/to/counter

Write now my /etc/pam.d/sys-auth file, below:

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root

account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root

Locks the account out and writes to the faillog file but I was wondering if I could specify an additional location where account lockouts or counters could be recorded?


A millions thanks
John

RHEL4.0 then.

It should by default also log to /var/log/messages or /var/log/secure. You can edit /etc/syslog.conf to send auth messages to another place as well if you wish.