We have a couple of customer servers which are not blocking failed login attempts by hackers. We are using ossec and these servers are currently running 8.0.4
This used to work fine but not sure when it stopped on these machines, may have been when then were upgraded from 8.0.3
When I look at the audit.log there is no record of failed attempts. If I look in mailbox.log it just shows mailbox does not exist once. Does anyone have ideas why the audit.log is no longer showing these failed attempts. Have they moved or do I need to enable something somewhere.
Any advise would be great