Greetings, I have been researching this problem for a better part of the day and have not found any definitive answer regarding what I am trying to accomplish.
When a bad password attempt is logged on Our Exchange 2010 Version 14.3 server, an entry is created in the Security event log which indicates the caller process, workstation name, and source network address. I have found that OWA and Activesync password failures will show that the caller process is W3WP.exe and indicate the source address that the bad password was attempted from.
I am troubleshooting a user account which is locking out sporadically, and have not been able to find much information regarding how to log verbose details of bad password attempts from edgetransport.exe to the event viewer. Most of the suggestions I see state that an IDS in front of our mail server is the solution. I understand that in this scenario I would be able to correlate time stamps of the bad password attempts in our domain controllers netlogon.log with the source addresses attempting to connect. However at this point in time I am unable to implement such a device.
I am simply looking for a way to determine the source address of failed logon attempts from edgetransport.exe. Was this designed in such a way that what I am trying to accomplish is impossible? If so I am open to any other suggestions from the community regarding how I can track this down.
Thanks for re