Hi,
Yes, it is the expected behavior.
Lockout event will be logged on the Domain Controller.
Login failed event will logged on the workstation where the user logon to if the Audit Logon Events – Failure was enabled on the clients.
Then we can audit Process Tracking for this client, then analyze the event log to find out which process or apps send the BAD password.
Best Regards,