i want to audit remote connection attempts to a Windows 2003 Server. i've changed the group policy to show logon successes and failures:

>gpedit.msc

Local Computer Policy
   Computer Configuration
      Windows Settings
         Security Settings
            Local Policies
               Audit Policy
                  Audit logon events: Success, Failure

And now the logs are filled with failure events like:

Logon Failure:
    Reason:                 Unknown user name or bad password
    User Name:              server
    ...
    Logon Type:             10
    Logon Process:          User32  
    Authentication Package: Negotiate
    ...
    Source Network Address: 82.114.195.29

While Logon Failure events sure are interesting, i'm more interested in Logon Success events - i want to see if anyone got in. That means it's not all Logon Success events i wants, just ones from foreign networks.

i want to filter the Windows Security Event log to show:

  • Event type == "Failure audit"
  • "Source Network Address" is from the internet

Or for the more programmer oriented:

(EventType == FAILURE_AUDIT) &&
(SourceNetworkAddress & 0xffffff00) != 0x0a000000

Possible?


Event viewer won't allow you to filter on criteria in the "Description" field, which is what you need to differentiate between "local" networks and "foreign" networks.

My sshd_block script could be altered to do what you're looking for, or you could probably cobble something together using the event log email notification script I wrote for an answer on Server Fault. Either one, however, doesn't have rate limiting on the notifications (which I really should get around to writing in my "copious free time"...)