5.4 Capture messages sent to syslog AUTH facility - Check if 'auth.info' is set to /var/log/authlog

Information

By default, Solaris systems do not capture logging information that is sent to the LOG_AUTH facility. However, a great deal of important security-related information is sent via this channel (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

See Also

https://workbench.cisecurity.org/files/633