By default, pam logs into auditd failed login attempts. My issue is that when someone tries to log in with a non-existent user, the audit message contains acct="UNKNOWN".

I would like, instead, the tried username to be logged. pam_tally2 supports the audit option that instructs it to output the tried username to the tally file. But, there is stil no record in auditd. I could read the tally file but I would like to just parse auditd output, instead of additionally parsing the tally file.