I've had a lot of failed login lately via RWW on our SBS 2008 server. I find these in the Event Security log under event ID 4771 and I have a task created to send me a message when failures occur.
If someone on the local domain fails, the event shows a Client Address as one of the LAN workstations. However, for some questionable failures, the IP address is ::1. Clearly this tells me nothing. Is there a way to see the actual IP address from where this attempt is originating?