The audit option login_locked and the event Locked Login (value 112) record when a login account is locked due to exceeding the configured number of failed login attempts. This event is enabled when audit option login_locked is set. To set login_locked, enter:
sp_audit "login_locked","all","all","ON"
If the audit tables are full and the event cannot be logged, a message with the information is sent to the error log.
The host name and network IP address are included in the audit record. Monitoring the audit logs for the Locked Login event (number 112) helps to identify attacks on login accounts.
