Find failed connection attempts in Log files for ActiveSync / Webmail
Question asked by Charles Michel - December 17, 2016 at 5:33 AM
For SMTP and IMAP, if I set the log settings to Detailed, I can spot failed login attempts by looking for "rsp: 535 Authentication failed" or "login failed" and it also gives me what login was used.
How do I spot a failed login attempt and what login was used for ActiveSync or the Webmail? Neither the ActiveSync nor IIS log seems to show anything useful.

1 Reply

Reply to Thread
Adding his comment just so that the question doesn't go unnoticed. I have a server under brute force attack, I would like to be able to find IPs causing failed authentications so that I can ban them at the firewall level automatically.

Reply to Thread