Solution 1:

IP address for failed RDP attempts is logged here even with NLA enabled (no tweaks required) (tested on Server 2012 R2, not sure about other versions)

Applications and Services Logs > Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational (Event ID 140)

Logged text example:

A connection from the client computer with an IP address of 108.166.xxx.xxx failed because the user name or password is not correct.

XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" Guid="{1139C61B-B549-4251-8ED3-27250A1EDEC8}" /> 
  <EventID>140</EventID> 
  <Version>0</Version> 
  <Level>3</Level> 
  <Task>4</Task> 
  <Opcode>14</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2016-11-13T11:52:25.314996400Z" /> 
  <EventRecordID>1683867</EventRecordID> 
  <Correlation ActivityID="{F4204608-FB58-4924-A3D9-B8A1B0870000}" /> 
  <Execution ProcessID="2920" ThreadID="4104" /> 
  <Channel>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Channel> 
  <Computer>SERVER</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <EventData>
  <Data Name="IPString">108.166.xxx.xxx</Data> 
  </EventData>
  </Event>

Solution 2:

This is a known limitation with the 4625 event and RDP connections using TLS/SSL. You will need to use RDP encryption for the remote desktop server settings, or get a better IDS product.

Solution 3:

You should use the built-in Windows Firewall and its logging settings. The logs will tell you the IP addresses of all incoming connection attempts. Since you mentioned that all your servers are internet-facing, there really is no excuse for not using the Windows Firewall as a part of your defense in depth strategy. I would specifically recommend not turning off NLA (network-level authentication,) since many of the attacks on RDP in the past have historically been mitigated by the use of NLA and only affected RDP session hosts running classic RDP encryption only.

Windows Firewall Logging

Solution 4:

This Event is usually caused by a stale hidden credential. Try this from the system giving the error:

From a command prompt run: psexec -i -s -d cmd.exe
From the new cmd window run: rundll32 keymgr.dll,KRShowKeyMgr

Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.