In nDepth, if UserLogonFailure is showing
EventInfo: Logon Failure "myDomain\johnD" InsertionIP:SalesPC1
Does this definately mean that JohnD tried to logon to the SalesPC1 and failed?
Typically this will be true. The InsertionIP field indicates the machine that generated the event, and the computer that the user attempted to log on to should generate the event. However in practice, I would probably use the destinationIP field instead.
Check also the SourceMachine and LogonType fields, they can provide you more insight. If the LogonType is showing "Windows: Interactive" (or Cached Interactive or Remote Interactive) those are all direct logons. If it's a Network logon or other type, the SourceMachine should show you where they are attempting from (it might be something like someone accessing a share on SalesPC1, not logging on directly).
