Event id 4625 does not have Remote Network Information on Windows 10 Pro

Question

I have several failed connection attempts to my Windows 10 hosted SSH Server. Event log does not provide any information on the source IP and other remote network details. How to make this information populated? Computer policy is set to log Success and Failure, but still no info being gathered.

An account failed to log on.

Subject: Security ID: SYSTEM Account Name: DESKTOP-TEST1 Account Domain: WORKGROUP Logon ID: 0x3E7

Logon Type: 8

Account For Which Logon Failed: Security ID: NULL SID Account Name: - Account Domain: -

Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A

Process Information: Caller Process ID: 0x2638 Caller Process Name: C:\Windows\System32\OpenSSH\sshd.exe

**Network Information:

Workstation Name:   -
Source Network Address: -
Source Port:        -**

Detailed Authentication Information: Logon Process: Advapi
Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0

Answer 1

The reason why Windows event id 4625 does not log the source IP, is because Windows does not know the source address.

The process which is authenticating to Windows (via clear text login - type 8) is OpenSSH with the sshd.exe process. More info on 4625 is here: https://system32.eventsentry.com/security/event/4625.

It is this process that actually receives the incoming network connection and then passes the username & password on to Windows, verifying the provided credentials.

I'm afraid this is just how Windows works. Like Greg said, you'd have to get this information from the SSH logs. Only the SSH service would know all the information you want:

• Source IP / Port
• Username

I would recommend that you look through the OpenSSH documentation to see where the log file is located (should be C:\ProgramData\ssh\sshd_config) and set the logging level to VERBOSE (LogLevel VERBOSE).

Apparently OpenSSH on Windows has its own event log (Applications and Services Logs > OpenSSH) where you can see this information, but I can't verify this since I've never used OpenSSH on Windows.