Password Attempt Event

Valid on UNIX
capamsc141
Valid on UNIX
Password attempt events describe an attempt by an accessor to log in with an incorrect password.
Audit records in this event have the following format:
Date Time Status Event UserName Details Reason Terminal Program AuditFlags
  • Date
    Identifies the date that the event occurred.
    Format:
    DD MMM YYYY
    Note:
     
    Privileged Access Manager
    Endpoint Management formats the date display according to your computer settings.
  • Time
    Identifies the time that the event occurred.
    Format:
    HH:MM:SS
    Note:
     
    Privileged Access Manager
    Endpoint Management formats the time display according to your computer settings.
  • Status
    Indicates an incorrect password attempt.
    Value:
    A (Password attempt)
  • Event
    Identifies the type of event this record belongs to.
    Note:
     
    Privileged Access Manager
    Endpoint Management refers to this field simply as
    Event
    .
  • UserName
    Identifies the name of the accessor that performed the action that triggered this event.
  • Details
    Indicates at which stage 
    Privileged Access Manager
    decided what action to take for this event.
    Note:
    The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in 
    Privileged Access Manager
    Endpoint Management, the audit record displays the message that is associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
  • Reason
    Indicates the reason that 
    Privileged Access Manager
    wrote an audit record.
    Note:
    This field does not display in a detailed seaudit output or in 
    Privileged Access Manager
    Endpoint Management. The audit record that you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
  • Terminal
    Identifies the name of the terminal that the accessor used to connect to the host.
  • Program
    Identifies the name of the program that triggered the event.
  • AuditFlags
    Indicates whether the accessor is internal (
    Privileged Access Manager
    database user) or an enterprise user.
    Note:
    If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Password Attempt Event Message
The following audit record was taken from a detailed seaudit output.
13 Jan YYYY 16:21:12 A LOGIN        admin                  17  8 localhost.localdomain login
Event: Password attempt
Status: Password attempt
UserName: admin
Terminal: localhost.localdomain
Date: 13 Jan YYYY
Time: 16:21
Program: login
Details: Attempt rejected by the native environment
User Logon Session ID: 525f8d59:0000010a
AuditFlags: AC database user
This audit record indicates that on January 13, YYYY, the user admin attempted to change the account password. The attempt was rejected by the native environment because of a login failure (authorization stage code 17 attempt rejected by the native environment). The pam _seos module logged this event (reason code 8 pam support UNIX failed login).