Security Log Failure Audit

Giganews Newsgroups
Subject: Security Log Failure Audit
Posted by:  TimT (Ti…@discussions.microsoft.com)
Date: Sun, 26 Nov 2006

Hi,

I'm trying to automate a process related to identifying and blocking IP
addresses of people trying to do brute force attacks on a server, primarily
via FTP.

Whenever an invalid logon occurs a "Failure Audit" event is written to the
security log, but the "Source Network Address" entry is always blank. Does
anyone know why this would be blank, and how to get it populated properly?

This is an SBS 2003/ISA 2004 config, w/ISA FTP and HTTP listeners configured
with "Requests appear to come from the original client".

The FTP and web sites in IIS are configured w/logging, and the actual
external IP address does appear in the logs, but it would be much easier if I
could just get the address from the failure audit event in the security log.

This is an example of the failure audit log entry when a bad FTP login
occurs:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/19/2006
Time: 10:16:12 AM
User: NT AUTHORITYSYSTEM
Computer: MyServer
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain: MyDomain
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MyServer
Caller User Name: MyServer$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 880
Transited Services: -
Source Network Address: -
Source Port: -

Thanks,
Tim

Replies