Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 539 Source: Security

Source
Description
Logon Failure:
Reason: Account locked out
User Name: <user name>
Domain: <domain name>
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <computer name>
Comments
 
As per Microsoft: "A user tried to log on to the system using an account that is locked out. A large number of these events logged in Event Viewer usually indicate that a service account password is configured incorrectly or a program password does not match the password on the server". See MSW2KDB for details.

See ME171148, ME182918 and ME922730 for additional information about this event.
See ME287639, ME263821 and ME264678. Service Pack 3 for Win2k should fix this problem.
ME174073 is also very helpful in troubleshooting this event and other audit failures in general.
The types of successful logon types are:
Type 2 : Console logon - interactive from the computer console.
Type 3 : Network logon - network mapping (net use/net view).
Type 4 : Batch logon - scheduler.
Type 5 : Service logon - service uses an account.
Type 7 : Unlock Workstation.
Type 0 & 1 are not used and Type 6 is listed as a proxy logon but I do not know what that is. The Logon Type 3 events indicate a network logon event. A successful Net Use or File Manager connection or a successful Net View to a share generates Event ID 528. An event is generated by the initial connection from a particular user. Later Net Uses or Net Views by that a user from the same computer do not generate additional events unless the user has been disconnected.
This events indicates a logon attempt for a locked account (The account was locked out at the time the logon attempt was made). This event can (but not necessarely) indicate that a password attack was launched unsuccessfully resulting in the account being locked out.
If the acccount is SMSCliToknAcct&, see ME299352.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...