Need source IP address details in failed login event alerts ,How to enable it ? Whether I need to enable it in domain controller Audit policy
What is the source device in question?
Source Device is windows terminal server or destop
Any suggestions on this?
The logs sometimes contain the IP and sometimes do not. What message IDs are you using for your alert?
Dave -Msg id is Security_4625_Microsoft-security-Auditing
Any help on this ?
Contact me by email if you havehtbsolved this issue yet and we can continue there. Dave.glover at RSA dot com
Retrieving data ...