Event Logging IPAddress does not always resolve

Question

I am hooking the Security event log with System.Diagnostics.Eventing.Reader.EventLogWatcher class, and I am watching Event ID 4625 on a 2008 server box, for incoming failed logi

Answer 1

Asteroid's answer works, but you MUST enable "Allow connections from computers running any version of Remote Desktop (less secure)" instead of "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)".

NLA does not use User32, but uses NtLmSsp which relies on LM responses. If that's blocked (as the instructions above will do), you'll end up with ye olde "The Local Security Authority cannot be contacted."