How to generate audit reports for user login

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server for SAP 15
SUSE Linux Micro 6
SUSE Linux Enterprise Micro 5

User login success and failures need to be tracked. The raw audit reports stored in the /var/log/audit directory tend to become very bulky and hard to understand. To more easily find relevant messages, use the aureport utility and create custom reports.

Use aureport to report on successful and failed attempts of user authentication.

1. Summary of failed login events: 

# sudo aureport --failed

Failed Summary Report
======================
Range of time in logs: 12/31/1969 19:00:00.000 - 05/07/2025 15:26:48.091
Selected time for report: 12/31/1969 19:00:00 - 05/07/2025 15:26:48.091
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 6
Number of authentications: 0
Number of failed authentications: 49
Number of users: 3
Number of terminals: 5
Number of host names: 4
Number of executables: 4
Number of commands: 1
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 50
Number of events: 72

2. Summary of successful login events:

# sudo aureport --success

Success Summary Report
======================
Range of time in logs: 12/31/1969 19:00:00.000 - 05/07/2025 15:26:48.091
Selected time for report: 12/31/1969 19:00:00 - 05/07/2025 15:26:48.091
Number of changes in configuration: 22
Number of changes to accounts, groups, or roles: 5
Number of logins: 38
Number of failed logins: 0
Number of authentications: 48
Number of failed authentications: 0
Number of users: 3
Number of terminals: 7
Number of host names: 4
Number of executables: 10
Number of commands: 3
Number of files: 0
Number of AVC's: 41
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 377
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 227
Number of events: 1696     

3. Success and failure of all login attempts with usernames:

# sudo aureport -l -i
Login Report
============================================
# date time auid host term exe success event
============================================
13/02/09 15:08:31 tux: 192.168.2.100 sshd /usr/sbin/sshd no 19
16/02/09 12:39:05 root: 192.168.2.101 sshd /usr/sbin/sshd no 2108
17/02/09 15:29:07 geeko: ? tty3 /bin/login yes 7809

4. Create a summary report for user login events:

# sudo aureport -l -i
Login Report
============================================
# date time auid host term exe success event
============================================
13/02/09 15:08:31 tux: 192.168.2.100 sshd /usr/sbin/sshd no 19
16/02/09 12:39:05 root: 192.168.2.101 sshd /usr/sbin/sshd no 2108
17/02/09 15:29:07 geeko: ? tty3 /bin/login yes 7809

5.  Set the desired time frame and combine it with the report option needed. This example focuses on login attempts:

# sudo aureport -ts 02/16/09 8:00 -te 02/16/09 18:00 -l
Login Report
============================================
# date time auid host term exe success event
============================================
16/02/09 12:39:05 root: 192.168.2.100 sshd /usr/sbin/sshd no 2108
16/02/09 12:39:12 0 192.168.2.100 /dev/pts/1 /usr/sbin/sshd yes 2114
16/02/09 13:09:28 root: 192.168.2.100 sshd /usr/sbin/sshd no 2131
16/02/09 13:09:32 root: 192.168.2.100 sshd /usr/sbin/sshd no 2133
16/02/09 13:09:37 0 192.168.2.100 /dev/pts/2 /usr/sbin/sshd yes 2139

Further Information on aureport and other commands can be found in Documentation.

https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-audit-setup.html