0

In my domain controller event log, I'm getting an account failure from a username of a service account.
The info is:

Security ID: DOMAIN\serviceaccount
Account Name: serviceaccount
Additional Information: 

Caller Computer Name: FreeRDP

This is really no help to me at all. I'm looking for an IP address, since any client can just 'tell' me who they are when they try to login. Is there any verbose or text based logging that I can check or implement to get source/destination IP, etc?

parsecpython
  • 395
  • 2
  • 6
  • 16
  • `any client can just 'tell' me who they are when they try to login` - What do you mean? Do you mean that you don't trust the Caller Computer Name that was logged in the event? – joeqwerty Apr 25 '16 at 16:46
  • exactly that, yes – parsecpython Apr 25 '16 at 16:56
  • 2
    Playing Devil's Advocate then; If you don't trust the Event Log, why would you trust any other log? Additionally, how do you imagine the client would/could "spoof" it's name. I'm trying to understand your concern. – joeqwerty Apr 25 '16 at 17:00

1 Answers1

0

The security event log does not provide every conceivable piece of information. If you need more details, install and use SysMon:

https://technet.microsoft.com/en-us/sysinternals/sysmon

Network logging is not enabled by default, you would need to include the -n switch. 

sysmon -accepteula –i –h sha1,sha256 –n
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Great, this looks like the right tool for the job. I'm looking for tracking events and network activity related to logins only. Can you provide insight to this configuration? I'll also see what I can find from Googling and testing, as well – parsecpython Apr 27 '16 at 16:27