We have Exchange Server 2013 on-prem in a hybrid config. We have been having brute force bad actor auth attempts to our Exchange boxes that have been causing AD lockouts. We have been disappointed with logging on the server and have not been able to easily pin down source IPs or see the bad auth attempts in logs. We have SMTP logging enabled. Thanks in advance for any feedback/help!