We're using our LEM system to, among other things, track the failed login attempts of users. I find that sometimes I see a user trying to log in via our CAS Servers, presumably to get email or whatnot, and getting bad password. Rarely does the "Source Machine" contain the IP address that's attempting access. Most of the time, it just indicates the source machine is the CAS server itself. Is there a degree of logging I need to turn on to get the information I'm looking for, find out what IP is locking up my users. I suspect it's a home machine they have trying to access for whatever reason, but have no way of getting any proof.