I am not sure if there is a better way to explicitly write a log entry when a user is locked out on MWG side, but we do have a property which is called "Authentication.FailureReason". You could create a rule which looks into it after authentication has been attempted. When the property is "0" everything went fine, if it is not there was an error.
You could write a separate log file where you put a line with client IP and some additional information when authentication was not successful. Since you won´t get the user name (as authentication did not succeed) I think your best chance would be to take the timestamp from the output you posted and have a look at this timeperiod in your custom log. You will likely see a specific client IP making requests, which could help identifiying the machine causing the user to be locked out.
Asabban Good morning, thank you for your help but I need some more information to create this rule.
Are you saying that I have to create a rule with the option Authentication.FailureReason is equal 0?
Then how do I create this event log?
If you can spend a few details about it I am very grateful!
it could look like this:
I placed this into my log handler. Everytime the FailureReason is NOT "0" ("0" indicates that authentication went fine) a line is written to a custom log. The line contains the client IP and date/time (of course you can modify the log as you like). In case you get notified that a user was locked out at a specific time period, try looking into the log and see if you can find a match.