> Does '/var/log/faillog' exist and is it properly writable? > Is SELinux in play, etc? The man page does not speak in terms > of edits to: /etc/pam.d/system-auth but rather to: > /etc/pam.d/login [note -- I suspect there may be a man page > bug here ... in testing; changes to /etc/pam.d/login and some > intentionally failed logins, do not seem to cause content to > be added to /var/log/faillog . Making the edit to: > /etc/pam.d/system-auth-ac DOES cause content to be registered, > and to show up with the 'faillog -a' command [*1] ]. > > /etc/pam.d/system-auth is a symlink to: > /etc/pam.d/system-auth-ac on my C 5 box, and editting here > seems to work just fine: > > [root at centos-5 pam.d]# diff -u system-auth-ac~ system-auth-ac > --- system-auth-ac~ 2010-04-20 15:46:34.000000000 -0400 > +++ system-auth-ac 2010-04-20 15:46:34.000000000 -0400 > @@ -2,6 +2,7 @@ > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > +auth required pam_tally.so deny=3 unlock_time=600 per_user > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > [root at centos-5 pam.d]# > > Nota bene: Note that the GUI tools will happily 'tromp' on > changes you make, and do not retain backups. > > Did you edit /etc/pam.d/login / /etc/pam.d/system-auth-ac > per: > man pam_tally > at the bottom of that man page, and > man 8 faillog > > Not enough here to diagnose properly presently. thanks both pebkac it appears - faillog -a was producing the expected results, what seems to be the issue is that although the syntax was correct the location within auth-config was wrong and therefore being ignored. your diff gave me the clue and seemingly resolved my issue - many thanks