How do I monitor failed logon attempts in Windows?
Solution 1:
Microsoft ACS does this very well. It is a component of System Center Configuration manager. You can look at the logon failures from the DC perspective or from the client perspective depending on your specific needs.
There are MS Partner Solutions that also aid in this from the Management Pack side as well as the ACS reporting side.
Full Disclosure: I work for one of said MS Partners
Solution 2:
For a central solution, use one of the Windows syslog providers to forward security log entries to a central syslog aggregator. Watch for the right events and then take whatever actions you want after that. Same deal as in the UNIX world. Back in my Windows days we used NTsyslog on each host to feed the event log into a server running SL4NT. SL4NT is actually a pretty powerful syslog daemon and more fully featured than a lot of the UNIX versions. Both SL4NT and NTsyslog are very easy to setup.
Solution 3:
Sadly, you can't use GINA for Vista. Vista uses Credential Providers.
Have you looked at parsing the Security Event Log? It's not pretty but it avoids mucking with GINA.
Solution 4:
@Jonas: When you say "monitor failed log on attempts on-the-fly", do you mean you want something that reacts in real time to a failed log on? Or do you want to be able to run something that will tell you how many failed logons there has been, say, for a machine over a specific time period?