Logging failed login attempts in Mac OS and sending to a syslog server or even just to a file.

Hello,

I'm working to aggregate logs of failed login attempts from 50+ MBAs running Sierra and High Sierra. I'm able to see the failed login attempts in the console app and via cli "log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d". What I haven't been able to figure out is how to cause these logs to be sent to a syslog server.

I am getting the more generic system logs going to a syslog server, but these logs do not contain the "Authentication failed" messages that I'm after.

The "Authentication failed" logs are generated by subsystem com.apple.opendirectoryd. The failed logins that I'm trying to capture are for local user accounts.

I've tried the following /etc/asl.conf settings with the hope of at least writing opendirectoryd log entries to a file, but my attempts were unsuccessful.

# the subsystem is com.apple.opendirectoryd, I'm assuming that is the same as Facility - No Joy.

? [= Facility com.apple.opendirectoryd] file opendirectoryd.log

# the subsystem is com.apple.opendirectoryd, let's try just using opendirectoryd as the facility - No Joy

? [= Facility opendirectoryd] file opendirectoryd.log

# tried by PID opendirectoryd is running as PID 76 - this was just out of desperation - No Joy

? [= PID 76] file opendirectoryd.log

I've run kill -HUP <pid> to invoke changes made to asl.conf - To confirm changes were in fact being picked up, I changed the default "? [<= Level notice] store" to write to a file and that worked.

I also have osquery installed and I tried querying the "asl" table, but the "Authentication failed" records aren't showing there either.

Where do the opendirectoryd logs live and how can I cause them to be sent to a syslog server or some other log collector?

Thank you. ...Rob