How to Monitor All Failed Login Attempts in solaris 11

How to Monitor All Failed Login Attempts This procedure captures in a syslog file all failed login attempts. Before You Begin You must be in the root role. Set up the /etc/default/login file with the desired values for SYSLOG and SYSLOG_FAILED_LOGINS Edit the /etc/default/login file to change the entry. Make sure that SYSLOG=YES is uncommented. # grep SYSLOG /etc/default/login # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used SYSLOG=YES # The SYSLOG_FAILED_LOGINS variable is used to determine how many failed #SYSLOG_FAILED_LOGINS=5 SYSLOG_FAILED_LOGINS=0 # Create a file with the correct permissions to hold the logging information. Create the authlog file in the /var/adm directory. # touch /var/adm/authlog Set read-and-write permissions for root user on the authlog file. # chmod 600 /var/adm/authlog Change group membership to sys on the authlog file. # chgrp sys /var/adm/authlog Edit the syslog.conf file to log failed password attempts. Send the failures to the authlog file. Type the following entry into the syslog.conf file. Fields on the same line in syslog.conf are separated by tabs. auth.notice /var/adm/authlog Refresh the system-log service. # svcadm refresh system/system-log Verify that the log works. For example, as an regular user, log in to the system with the wrong password. Then, as superuser, display the /var/adm/authlog file. # more /var/adm/authlog Nov 4 14:46:11 example1 login: [ID 143248 auth.notice] Login failure on /dev/pts/8 from example2, stacey