Log Failed Logins


I know failed logins get logged on the database, but is there a way to log failed logins to the admin section on a login.log? The reason for this is because I want to setup a rule for fail2ban. I'm just looking for some things like:

failed to login user test@test.com from

any help would be appreciated.



no good ??

Admin home page as "Recent Activity" block in lower right that is a list of the most recent logs. You could always write an addon that would get just the failed login entiries. But suggest you work with something like the advanced log search for:

Period = this week

Type = users

Action = Failed logins

Which would come out something like the following.


You can get rid of the time period and probaby add an '&items_per_page=10' to just get the most recent 10 entries of that type.


Thanks guys, but the problem is that as far as I'm aware fail2ban can only query .log files, I don't think you can setup fail2ban filters using database.

I got us far as this, but I can't get failed to work. Can anyone help me with it?

use Tygh\Registry;

if (!defined(‘BOOTSTRAP’)) { die(‘Access denied’); }

if (AREA == ‘A’ && $mode == ‘login_form’) {
if ($mode == ‘login’) {
$login = “SUCCESS”;
} elseif ($action == ‘failed_login’) {
$login = “FAILED”;

if (!empty(Tygh::$app['session']['auth']['user_id'])) {
    $user_id = Tygh::$app['session']['auth']['user_id'];
} else {
    $user_id = 0;

$ip = fn_get_ip();

function fn_my_changes_failed_logins($log_msg) {
    $log_filename = "./var/log";
    if (!file_exists($log_filename)) 
        mkdir($log_filename, 0777, true);
    $log_file_data = $log_filename.'/failed_login.log';
    file_put_contents($log_file_data, $log_msg . "\n", FILE_APPEND);

fn_my_changes_failed_logins('[' . date('d-M-Y H:i:s') . ']' . ' ' . $login . ' ' . 'login for user' . ' ' . $user_id . ' ' . 'from' . ' ' . $ip['host']);


I would use the "fill_auth" PHP hook. You can review the code for the appropriate conditions/logic (fill_auth() in fn.users.php). Note that if $user_data is empty, then it's a logout. Also check that $act_as_user is false.

You should use 'fn_mkdir()' which will set the mode as configured for the site rather than forcing it to 777. It will also handle whether the directory already exists as a directory. And note that the file could have been removed but the directory still exists..