Thanks for everyone's replies. I wasn't aware of some of these capabilities so I want to make sure I understand.
Currently, I "log to syslog web access" as the first rule, then proceeding rules will "log to file" based on different types of devices. Based on this setup, a search in web access for "user account is locked out" does not work for older events. However, if I goto Windows explorer to search a specific log file, it's there. Based on what bkyle is saying, I assume web access stores 4gb of current data that rotates and so older events will no longer be there. Is this correct, or is there a way for web access to search through all log files? We have 41gb of current month log files and 19gb of archives.
Since that does not fix my problem, alternatively from what kstone says, I should be able to setup another rule to filter "user account is locked out" to capture the data I specifically want to a log file. This I understand and will try.
The last part is, how do I "log messages to a full SQL or MySQL"? Is this the "log to databases" action? Under the provider tab, I see a bunch of Microsoft providers, but nothing for MySQL. This option may be overkill for what I need.
I will also try out WinGREP as that is also an option for what I'm trying to do.