[SOLVED] System | Log Files | Audit - not showing failed WebGui auth

[mhcp]

Versions    OPNsense 22.7.10_2-amd64

I can see the SSH failed login information from the System | Log Files | Audit, with Multiselect on and all display. Example below:

Error | sshd | error: PAM: Authentication error for USER from 192.168.1.221
Warning | audit | user USER could not authenticate for sshd. [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]
Debug | audit | user USER failed authentication for sshd on OPNsense\Auth\Services\System via OPNsense\Auth\Local

I can see the WebGui logout and successful login information. Example below:

Notice | audit | /index.php: Successful login for user 'USER' from: 192.168.1.221
Notice | audit | user USER authenticated successfully for WebGui [using OPNsense\Auth\Services\WebGui + OPNsense\Auth\Local]
Notice | audit | /index.php: User logged out for user 'USER' from: 192.168.1.221

However, I did multiple failed logins between the log out and login show above and I was unable to see that.

I couldn't find anything on the GitHub Issues or searching the forum. Do other people get the same result?

[Fright]

should be there if username and passwords wasn't empty:
https://github.com/opnsense/core/blob/f5323689f3db9e91fa9f1a15e66e20f6e1e2fbba/src/etc/inc/authgui.inc#L212

[mhcp]

Ah, that's where I was going wrong. Trying with empty passwords.

Thank you for the prompt reply Fright! :-)

Have been trying to build some MONIT alerts for failed logins, Web GUI and SSH

Path | /var/log/audit/latest.log
Condition | content = 'Web GUI authentication error'

Path | /var/log/audit/latest.log
Condition | content = 'PAM: Authentication error'

Interestingly the SSH error will work on empty password.