We've recently been faced with an issue where we have people attempting to guess user account passwords and therefore locking out legitimate accounts. The lockout has been working and preventing access. To work around this I've spent some time consolidating our mailbox.log and audit.log files into a searchable syslog server (through vmware log insight) and have been able to pull together data from those log files about the number of invalid password attempts, number of lockouts, number of invalid account attempts and a breakdown of invalid password attempts group by user. (I've attached a screenshot of that in case anyone is interested) There are also notification rules setup from the log monitoring system where generally within 2 minutes of an account lockout we receive an E-Mail notification.
What we are now wondering is how we can track down the source of the attempts. We've found that when attempting to connect via IMAP or SMTP the source IP address appears, but most of the invalid password attempts that are causing issues are through SOAP. What we are able to see during the times are entries like the following:
2016-02-24 19:26:02,593 WARN [qtp1480581246-137387:https://192.168.40.8:7071/service/admin/soap/] [name=USERNAME@DOMAIN;ip=192.168.40.8;] security - cmd=Auth; account=USERNAME@DOMAIN; protocol=soap; error=authentication failed for [USERNAME@DOMAIN], invalid password;
2016-02-24 15:32:30,406 WARN [qtp1480581246-133399:https://192.168.40.8:7071/service/admin/soap/] [name=USERNAME@DOMAIN;ip=192.168.40.8;] security - cmd=Auth; account=USERNAME@DOMAIN; protocol=soap; error=authentication failed for [USERNAME@DOMAIN], account lockout;
The account lockouts / invalid passwords never seem to show a source IP address. Are there any other log files we might be able to use to try and locate that information? Is there some logging we might be able to increase to find out the IP address so we can possible look to block that in some manner?
Thanks for any insight!