I use 13.13.15-ce. I found a log in application_json.log today like this.
"message":"Account Locked: username=root"
Usually This is recorded after the user root has failed login several times and I can expect to see something like below in the same log file or pervious archived log files.
"message":"Failed Login: username=root ip=220.127.116.11"
But I didn’t find any log relate to the failed login attempts.
There might be someone trying to break into our system but I have no idea how they can immediately lock root user without attempting to login first. I have checked the source code but I didn’t find anyting useful.
If someone has some experience on this I would really appreciate it.