Every now and then I get a flurry of messages with the above subject line, due to attempted brute force attacks on our messaging gateway (which so far have always failed)
I sometimes get similar messages about login attempts from a single IP, which is is easy, I can block that IP in our firewall and report it as abusive.
What I would like to be able to do is look through the logs to see if I can identify source IP addresses for the single user failures (I assume the attackers are using some kind of bot network to leverage multiple IPs to try and disguise the origin), but I cannot find any log events that correspond to these messages.
Does anyone know what log I need to be looking in and/or what level of logging I need to turn on for these attempts to appear in the logs as well as sending warnng messages? It seems odd that I can get a notification but seem to have no ability to look into the problem.
Thanks.