Monitoring Failed Login Attempts

Monitor failed logins attempts with the login_locked audit option.

The new audit option login_locked and the event Locked Login (value 112) record when a login account is locked due to exceeding the configured number of failed login attempts. This event is enabled when audit option login_locked is set. To set login_locked, enter:

sp_audit "login_locked","all","all","ON"

If the audit tables are full and the event cannot be logged, a message with the information is sent to the errorlog.

The hostname and network IP address are included in the audit record. Monitoring the audit logs for the Locked Login event (112) helps to identify attacks on login accounts.