Faillog in Linux: Display Records of Login Failure

Author: Vivek Gite Last updated: April 26, 2011 2 comments

I‘m running RHEL on HP server. This server allows to login to reset of the LAN from the Internet. How do I find out failed login records under Linux operating systems?

You need to use the faillog command to see the all failed login attempts. Linux records failed login into a special database at /var/log/faillog. To see contents of the failure log database at /var/log/faillog use faillog command. The same command can be used for

  1. Set the failure counters.
  2. Set or configure the limits.
  3. Display failed login information.

More About /var/log/faillog File

The /var/log/faillog maintains a count of login failures and the limits for each account. The file is binary format with the following the structure of the file:

           struct    faillog {
                short   fail_cnt;
                short   fail_max;
                char    fail_line[12];
                time_t  fail_time;
                long    fail_locktime;
           };

You cannot view the structure using the cat command:
# cat /var/log/faillog
So you need to use the faillog command to display this binary file records.

faillog Command Examples

described in our previous tutorial. To display failed login attempts for user tom, enter:
# faillog -u usernameHere
# faillog -u tom
To display failed login attempts for all users, enter:
# faillog -a
To display faillog records more recent than 5 days, enter:
# faillog -t 5 -u tom
🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
Related Tutorials
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • b0nd Feb 7, 2012 @ 23:02

    Hi Vivek,

    Your articles are quite precise and good. Often Google lands me to your page :).
    I appreciate you for devoting your time and energy crafting them.

    Cheers!

    Reply Link
  • Lok Nov 23, 2015 @ 3:51

    Would you be able to include an example of output of the “faillog” command, with description of the fields?

    Reply Link

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz

Next FAQ:

Previous FAQ:

🔎 Search this site

FEATURED ARTICLES

Sign up for my newsletter