I am attaching a security event log with the System.Diagnostics.Eventing.Reader.EventLogWatcher class, and I am looking at event code 4625 on the 2008 server server for incoming failed logins (in particular, RDP).
Log capture works fine, and I queue the results for associated, post-processing. However, sometimes captured logs have an IPAddress data field filled out (allowed), and sometimes they do not.
Windump works for me, watching the server, trying to use regular RDP logins from different servers and OS accessories, and the only conclusion I can solve is the version difference problem and good encoding. Although I could be wrong, lol.
The problem lies in the event logs themselves regarding these connections. All failed RDP logins are logged and processed correctly, but some of the logs simply do not record the source IP address of the failed connection.
Can some new mstsc method call the remote event log so as NOT to register the source IP address? This is similar to any other 2008 server that I run on this connected server. Any 2003 or XP computer that I have tried so far is registered correctly.
If you need more information, let me know. Thank you SO!
EDIT
Do I need to do something crazy - how to implement sharpPcap and map IP addresses to event logs this way? equals sign Can lsass be requested (not the only thing that is usually written to the security log)?