A user lockout event log entry typically looks like this:
Event ID: 539
Type: Failure Audit
Description: Logon Failure:
Reason: Account locked out
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Having that said, you would likely use someting like the following values within Event Log Monitor:
- Event Area: Security
- Event Type: Security Audit Failure
- Event ID: 539
- Scenario #1: Regex Pattern \i(.*account locked out.*bob.*)
***Assuming 'bob' is the account you wish to watch.
That should be all.
Chris Foley | Support Specialist
SolarWinds | IT Management, Inspired By You
Support:866.530.8040 || Fax:512.857.0125
Thank You Chris for your reply. It was very helpful.