senhasegura has syslog logs related to MFA authentication, indicating whether the token authentication was successful or failed, as well as identifying the user and the date. See an example below:
May 24 12:32:16 senhaseguralab senhasegura[773959]: May 24 12:32:16 senhaseguralab CEF:0|MT4|senhasegura|3.32.1-1|1695.001|Orbini - Authentication|5| dvc=10.10.10.10 spid=773959 src=v=Administrator msg=Token does not match. requestMethod=POST act=Multi-factor authentication cs1Label=Plugin cs1=Google cs2Label=Error code cs2=100 cs5Label=Country code cs5=- cs6Lab
Check below some examples of commands that can be used to query these logs:
- To check all logins generated with MFA:
- cat /var/log/syslog |grep Multi-factor
- To check MFA logs for a specific user:
- cat /var/log/syslog | grep '[usuário desejado]' | grep Multi-factor
- To filter successful logins:
- cat /var/log/syslog |grep Multi-factor | grep 'Token validated'
- To filter unsuccessful logins:
- cat /var/log/syslog |grep Multi-factor | grep 'does not match'
If you need to save the information to a file, just add “> [filename.txt]” at the end of the command.