How can I see logs of failed login attempts in MacOS Sequoia?

Question

How can I see logs of failed login attempts in MacOS Sequoia?

Some background... **queue cheesy soap opera music**

My brother's soon-to-be-ex-wife is proving to be a bit of a terror since he filed for divorce. My brother is a bit of a luddite and he failed to reset one of his old iPhones. She managed to get her hands on it and has been monitoring his emails and text messages with family, his lawyer, private investigator etc. He has since confiscated the old phone and I've helped him to reset his passwords etc and lock down his digital life. In the meantime we think she's still trying to get access to his devices any time he leaves the house and we're trying to get some evidence of that. In that vein I'm trying to get a record of failed login attempts to his iMac w/timestamps that correspond to him being out of the house. None of this will likely be usable in court, but useful info for his attorney all the same and could be useful if we hand devices over for any official forensic work down the road.

Anyway, I've come across several posts online detailing how I can see failed MacOS login attempts in system logs. The following is the most common...

log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1h

When I run this on my private laptop it's VERY slow and gives me a lot of results. Since I almost never forget my personal login I know these results have nothing to do with failed system logins. As I understand it Apple has recently restructured how system logs work as well so maybe there is a different approach in Sequoia?

Anyway, any help would be appreciated!

Posted on Dec 24, 2024 12:01 PM

Reply

Answer 1

Dec 26, 2024 8:26 PM in response to Brian S. Campbell

Plus, If Remote Management, Remote Login, and Screen Sharing are disabled in the Sharing System Preferences/Settings, then no one should be remotely access the Mac computers (assuming third part software was not installed to remotely access & manage the system) especially if the AppleID password had been changed.

The macOS system logs are not very good for troubleshooting anything these days. You will be inundated with tons of entries most times. While I've used the "log" command to attempt troubleshooting various issues, I've always had to slough through tons of entries. If you find an entry that is relevant, then maybe you can filter the results a bit further based on any differences between that entry & the junk entries.

You should contact a professional forensics investigator who is familiar with how to identify these things. It would probably help with the legitimacy of any claims as well if there was unauthorized access.

If in doubt, perform a clean install by first erasing the disk followed by reinstalling macOS. Do not restore from a backup. Manually transfer any important documents from the backup (if using Time Machine, then do so through the TM app interface). Download & Reinstall third party apps.

Reply

Answer 2

leroydouglas

Level 10

201,226 points

Dec 24, 2024 3:50 PM in response to Brian S. Campbell

Brian S. Campbell wrote:

She managed to get her hands on it and has been monitoring his emails and text messages with family, his lawyer, private investigator etc. He has since confiscated the old phone and I've helped him to reset his passwords etc and lock down his digital life.

Anyway, any help would be appreciated!

If you think your Apple ID has been compromised

If you think your Apple Account has been compromised - Apple Support

Contact Apple for help with Apple ID account security - Apple Support

Contact Apple for support and service - Apple Support

Change the login password on Mac

Touch ID & Password settings on Mac

Reply