How can Syspeace pick up login attempts on an Exchange server?
Syspeace picks up login failures in the SMTP connector with the SMTP Exchange rules. These login failures are detected by detecting related event log entries. These event log entries are rate limited to one entry per IP address in a period ranging from a few hours to 24 hours depending on the version of Exchange Server. Thus, Syspeace will not be able to detect login failures more frequently than the entries.
Syspeace also picks up login successes and failures from OWA (Outlook Web Access/Outlook Web App), provided that it is installed on the server where OWA is hosted. The login attempts will show up as Windows login attempts. Please note that if OWA is not being hosted on the public-facing server directly and is being proxied through another server, the IP address in the login attempt will be recorded as the IP address of the public-facing server, instead of that of the actual user. This can lead to the public-facing server itself being blocked from the server hosting OWA.