Dear Samuel,
I have just attempted to reproduce your issue in my lab. Initially, the server showed no logon failures, since I had not yet booted the machine ( The Pre-boot booguard screen does not upload data to the server )
I attempted to logon and failed many times, and locked out the account. Still no items showing on the server.
Later, I authenticated with a WDRT, and booted the system.
After the boot completed, the system checked in with the server. I now see some items in the server logs where the client has started, and checked in. However it did not show the login failures immediately.
Sometimes a full check-in on a client will not happen until there is a "Disk event". So, I added a second passphrase user to the client in order to force a disk event. I then forced a policy update on the client, and found a WDE Login failure notification on the home screen.
So, you may need to force a disk event to get some more details regarding the incident... Below is an excerpt of what a WDE failure log should look like
CLIENT-00013: WDE Event [time Mon 23 Mar 2015 02:48:54 PM PDT, machine e76ea8e6-9816-4424-9dde-461db4bad02c, device e76ea8e6-9816-4424-9dde-461db4bad02c, partition 2] mount: failure, user <WDRT>, events 7, time Mon 23 Mar 2015 02:35:06 PM PDT, time Mon 23 Mar 2015 02:35:43 PM PDT
From the above example, you can see that there were 7 login attempts right around 2:35 PM.. So you can try searching your client logs for mount: failure...
Additionally, under Consumers -> Devices -> "Hostname of Device in question" - You should find a section for Disk Login Failures. This will essentially contain the same information in a more human readable format. It gives the UUID of the machine, common name of the drive, partion, first logon attempt failed, number of failures, and time of successful logon. That will help give you a window of time during which someone was attempting to log in with the wrong passphrase.
Feel free to let me know if there is anything I can help clarify here.
Best Regards,
Phil