Login/Logout audit events and user info

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Login/Logout audit events and user info

Postby mm666 » Wed Feb 06, 2019 9:01 pm

I'm trying to find a way to collect information about users' names or uids who are logging in and logging out. I'm running supraudit with a grep I found on GitHub https://github.com/AlfredoAbarca/OSXMon/blob/master/opt/SupraFilters_Login.sh

I can get such records:
Code: Select all
(text=Verify password for record type Users 'admin' node '/Local/Default' ) = 0
(text=Verify password for record type Users 'foo' node '/Local/Default' ) = 5000

Can I assume that AUE_auth_user event always returns "0" on successful login and "5000" in other cases? Is there maybe another login event where I can get uid instead of looking for username in text?

Can I use some event to record which user logged out? Events around logout which I found, contain neither username nor uid.
mm666
 
Posts: 1
Joined: Wed Feb 06, 2019 5:53 pm

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests