question

JohnLake-4097 avatar image
0 Votes"
JohnLake-4097 asked JohnLake-4097 commented

Authentication source logging in Exchange 2013

We have Exchange Server 2013 on-prem in a hybrid config. We have been having brute force bad actor auth attempts to our Exchange boxes that have been causing AD lockouts. We have been disappointed with logging on the server and have not been able to easily pin down source IPs or see the bad auth attempts in logs. We have SMTP logging enabled. Thanks in advance for any feedback/help!

office-exchange-hybrid-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

EricYin-MSFT avatar image
0 Votes"
EricYin-MSFT answered JohnLake-4097 commented

What's your question or need acutally?
If you want track those IPs, you should check IIS log, by default it's located in: %systemDriver%\Interpub\logs\logfiles


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @EricYin-MSFT! I've looked at the IIS logs but we use a load balancer and I think the article below is potentially applicable for us. I would like to hear your opinion on the suggested solution.

""One on the most common scenario when load balancing Exchange servers - and any other website as a matter of fact - is that on the web server logs, the IP of the client is not the IP of the machine that makes the requests but the IP of the load balancer instead. This is normal since the connections from the clients are terminated on the load balancer and not the web server."

The fix suggested in the article is to forward the client IP from the load balancer in a "x-forwarded-for" field and add a corresponding field called "x-forwarded-for" at the logging field config in IIS.

"Click "Select Fields" and then click "Add Field". On the Add Custom Field form, select the name of the field as you want it to appear in the log, "Request Header" as the source type and "X-Forwarded-For" as the source and click OK. The new filed will be listed under the custom fields pane."


https://blog.cpolydorou.net/2017/02/exchange-original-client-ip-on-iis-logs.html


Thanks again @EricYin-MSFT !

0 Votes 0 ·