By default, pam logs into auditd failed login attempts. My issue is that when someone tries to log in with a non-existent user, the audit message contains acct="UNKNOWN".
I would like, instead, the tried username to be logged. pam_tally2 supports the audit option that instructs it to output the tried username to the tally file. But, there is stil no record in auditd. I could read the tally file but I would like to just parse auditd output, instead of additionally parsing the tally file.
I know it is not a good idea for users if the admin does log such info. My use case, however, is that I try to deploy some systems for educational purposes and I need this information to infer about student actions.
