If I have two DC's on a network and a user is locked out on Srv2 (event 4740), can this event get propagated to Srv1's eventlog aswell or are there settings to control this?
I am hoping it is possible to check only one event log to read all lockout events for an entire domain. From what I have been able to deduce it appears that evt 4740 only appears on the server where the lockout actually occurred.
Event forwarding, forwards events from one computer to another. This can be used in order to collect events at a specific computer to ease eventlog-handling.
Microsoft has a technet article for this:
https://technet.microsoft.com/en-us/library/cc748890.aspx
Windows IT-pro also has an article regarding troubleshooting eventlog forwarding: