I am able to see the failed login attempts made on High Sierra via the command:
log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1h
However it does not tell which user did the attempt fail for. Is there a way for system admin to see the username as well for the failed and successful login attempts ?
By Login I mean local login from the Lock screen or upon system reboot.
The command to retrieve logs for failed attempts was from this question:
How do I see all my failed login attempts (macOS High Sierra)
But the answers to that question stopped short of telling how to see username of failed attempt in logs.
Is it possible to see the username for failed and successful attempts?
Best Answer
After reaching out to Apple and not getting the answer, I was finally able to find the answer to this. To see the redacted information i.e. one that is marked as '< private >' I needed to turn on private mode. Here is the command to do that:
Now you can lock your screen and log back in and from now on the logs will show all the information that was earlier redacted and marked ''.
Hope this helps someone else looking for the answer.