Detect authentication attempts from ssh/console from an application for linux

Question

There is a task to detect successful and unsuccessful login attempts from a linux C++ application. What is the best way to do it?

I've only found 2 ways: 1) Check /var/logs/secure by timeout 2) Use inotify on /var/logs/secure

But there is an issue, that two or more unsuccessful login attemts in /var/logs/secure look like "PAM 2 more authentication failures" and this string is not appeared in a moment of unsuccessful login.

Answer 1

On a decent system, /var/log/wtmp and /var/log/btmp are a best locations to check. Glibc provide functions to make its access easier: getutxent, getutxid, getutxline, etc...

Also check behaviour of utmpdump -f /var/log/wtmp, it very close of what you want (decode wtmp and follow new events).