remote access logging

[help]

Gang,

We have a remote access server that someone's computer
program is connecting to and attempting to log into using
various (obvious) usernames (like: admin, webmaster, etc).

Of course, we have none of these obvious usernames, and
account lockout after 10 tries, so they'll eventually go
find an easier car to steal, however ...

.... why does Event Log NOT log the originating IP address
of the connection so I can track it down. I've looked
EVERYWHERE and can't find a way to capture that info in
the logs. Can anyone help.

Thanks in advance.

 

[Paul Vdovets]

RAS logs everything to C:\WINNT\system32\LogFiles\Ras\
in there is a log file created every day..

you can parse out the log file and get the needed info

help on your server can give you help with they formatting of the file
I warn you that until you figure out what the fields mean it looks like
a ton of garbage..

another thing that you may want to look in to is changing the format of the
log
file this can be done from the RAS admin mmc.. if you want to right a script
to parse and report this stuff to you, you will want to output it in
database compatible format..

Cheers,

Paul

 

[Steven L Umbach]

That capability has been added to Windows 2003. I know that does not help you,
possibly you may want to install a software firewall on that server and use it for
it's logging capabilities. Sygate does excellent logging or maybe you can correlate
existing firewall logs to the logged events on the computer. --- Steve