From eDirectory version 888Patch9 and 902 we can monitor successful and failed login events through XDAS auditing with the help of the latest eDirectory Collector (2011.1r7) and NMAS Collector (2011.1r4). Modify the Directory System to report the LOGIN and AUTHENTICATE events separately. Add two new DS events DSE_LOGIN_EX (mapped to Create Session XDAS event) and DSE_AUTHENTICATE (mapped to Authentication Session XDAS event) which are used for Login and Authentication. These new events are only used by XDAS.
Also XDAS instrumentation provides reasons for login failures like “Login Failed” for the wrong password, “Account Expired” for Account disabled, and “Account Locked” for account locked due to intruder detection.
Steps to monitor successful and failed login events:
Auditing eDirectory events: https://www.netiq.com/documentation/edir88/edirxdas_admin/data/brpq3ik3.html
Auditing NMAS events: https://www.netiq.com/documentation/nmas33/admin/data/bwmt40o.html
Now setup is ready for monitoring successful and failed login events.
Check the screen shot below of Sentinel view of a login event for both a successful login and a failed login.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.