I am trying to generate a report that shows when users fail to logon due to bad passwords.
I am only collecting the event logs on my domain controllers. The event ID that is generated due to a bad password is 4625. The problem is that 4625 is registered on the computer where the login was attempted and not on the computers that I am collecting logs.
There are other IDs that are registered on the DCs that can give this information but the custom reports are very verbose and not simple to read like the one provided as a standard report. We don't want to collect logs from every computer on the domain. What I would really like is a way to modify the built in report to look for event ID 4771 and 4777
Any suggestions?