We are currently logging all security events from domain controllers as well as IIS/Advanced IIS logs on our CAS servers. We wish to detect brute force attacks on OWA as well as trace back failed logon attmpts to our CAS servers.
In other words, we are looking for our CAS servers to log something along the lines of "This IP connected to this CAS server and attempted to authenticate JDOE unsuccessfully"
Right now I can see CAS activity, I see a particular user with multiple devices (Mac running Outlook, iPhone, another iPhone, and a web client running Firefox on Win 7) and we are able to see failed logon attempts for the user account between the CAS server and the Domain Controller. What we CANNOT see is which device is generating the failed logons.