I'd like to write a service that pulls Event Viewer records, specifically from the Security log. Of particular interest to me are things like event id 4625 (audit fail) messages. Ideally I'd like to store the IP of clients that cause audit fails more than n times in m seconds for some amount of time.
Sounds easy enough, so I quickly whipped up a .NET service to do just this. However, when I pull these audit failures, the "Source Network Address" value is always equal to "-". I would like to know how Windows can get all the way through a logon, end in failure and not know the peer's IP address.
Also worth noting is the few times that the IP address does get logged the log entry does in fact contains lots of other useful information (like the Process that generated it, the failure reason, transmitted services, etc).
Can someone please tell me why the Security Log doesn't know the IP address of people trying to log in and failing?
Best Answer
Here is the cause for something like Remote Desktop.
http://cyberarms.net/security-insights/security-lab/remote-desktop-logging-of-ip-address-%28security-event-log-4625%29.aspx
For Remote Desktop I discovered that going into "Remote Desktop Session Host Configuration" and changing the RDP-TCP connection to have the security layer of "RDP Security Layer" instead of "Negotiate" or "SSL (TLS 1.0)" brought back the IP addresses.
Whether you really want to do this is another question for you, "If you select RDP Security Layer, you cannot use Network Level Authentication."