I have deployed the UNIX app successfully to my environment, and the app is working well, however I don't see anything that would tell me about 'account lockouts'. I wanted to ask a couple of questions to the community to see if i'm missing something.
Question 1: Am i overlooking something within the UNIX app that I just just click on to see when a Unix account is locked out? a search that is already formulated?
Question 2: in trying to build my own 'account lockout' query, and I can see a series of events if I search for:
index=my_index bad password
the no quotes are deliberate, and all linux data goes to the same index. I can't however see in the event message where it say's 'bad password'.
I've also tried to search the
index=my_index sourcetype="Unix:UserAccounts"
for an instance, however I can't see anything there either. I assume it's my ignorance, so I figured I would ask and see if someone has already done this?
I found out there is no such place / extraction. This must be done manually, and in many cases from /var/log/messages.
I found out there is no such place / extraction. This must be done manually, and in many cases from /var/log/messages.