Dan, I'm actually just triggering the bad password attempt from the windows machine that's locked, rather than locking out the user account. The rule that should fire for me is rule id 18106 as a result of event ID 4625 being generated. Still don't understand why it doesn't work while the rule test works...
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
