Authentication source logging in Exchange 2013

Question

Authentication source logging in Exchange 2013

John Lake 21

We have Exchange Server 2013 on-prem in a hybrid config. We have been having brute force bad actor auth attempts to our Exchange boxes that have been causing AD lockouts. We have been disappointed with logging on the server and have not been able to easily pin down source IPs or see the bad auth attempts in logs. We have SMTP logging enabled. Thanks in advance for any feedback/help!

Answer 1

Eric Yin-MSFT 4,451

What's your question or need acutally?
If you want track those IPs, you should check IIS log, by default it's located in: %systemDriver%\Interpub\logs\logfiles

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

John Lake 21 Reputation points

2021-07-14T23:55:33.697+00:00

Thanks @Eric Yin-MSFT ! I've looked at the IIS logs but we use a load balancer and I think the article below is potentially applicable for us. I would like to hear your opinion on the suggested solution.

""One on the most common scenario when load balancing Exchange servers - and any other website as a matter of fact - is that on the web server logs, the IP of the client is not the IP of the machine that makes the requests but the IP of the load balancer instead. This is normal since the connections from the clients are terminated on the load balancer and not the web server."

The fix suggested in the article is to forward the client IP from the load balancer in a "x-forwarded-for" field and add a corresponding field called "x-forwarded-for" at the logging field config in IIS.

"Click "Select Fields" and then click "Add Field". On the Add Custom Field form, select the name of the field as you want it to appear in the log, "Request Header" as the source type and "X-Forwarded-For" as the source and click OK. The new filed will be listed under the custom fields pane."

https://blog.cpolydorou.net/2017/02/exchange-original-client-ip-on-iis-logs.html

Thanks again @Eric Yin-MSFT !
Eric Yin-MSFT 4,451 Reputation points

2021-07-15T01:32:06.603+00:00

It's reliable, Microsoft has had some similar docs on this:
How to use X-Forwarded-For header to log actual client IP address?
Get the real source IPs in the IIS hit logs for servers
John Lake 21 Reputation points

2021-07-15T03:20:17.353+00:00

thanks Eric!

Authentication source logging in Exchange 2013

0 additional answers

Activity