By default, pam logs into auditd failed login attempts. My issue is that when someone tries to log in with a non-existent user, the audit message contains acct="UNKNOWN".
I would like, instead, the tried username to be logged. pam_tally2 supports the audit option that instructs it to output the tried username to the tally file. But, there is stil no record in auditd. I could read the tally file but I would like to just parse auditd output, instead of additionally parsing the tally file.
我知道,如果管理员确实记录了此类信息,对于用户来说不是一个好主意。但是,我的用例是,出于教育目的,我尝试部署一些系统,并且我需要此信息来推断学生的行为。
