Authentication source logging in Exchange 2013

John Lake 21 Reputation points

We have Exchange Server 2013 on-prem in a hybrid config. We have been having brute force bad actor auth attempts to our Exchange boxes that have been causing AD lockouts. We have been disappointed with logging on the server and have not been able to easily pin down source IPs or see the bad auth attempts in logs. We have SMTP logging enabled. Thanks in advance for any feedback/help!

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,859 questions
0 comments No comments
{count} votes

Accepted answer
  1. Eric Yin-MSFT 4,386 Reputation points

    What's your question or need acutally?
    If you want track those IPs, you should check IIS log, by default it's located in: %systemDriver%\Interpub\logs\logfiles

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful