Currently failed auth requests are logged as:
auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thisuser] FAILED with error NT_STATUS_NO_SUCH_USER
auth_check_password_recv: sam_ignoredomain authentication for user [HPRS\thatuser] FAILED with error NT_STATUS_WRONG_PASSWORD
On the mailinglist the request to include the remote IP address has come up several times.
Jeremy Allision replied: "We should probably have something in the server that logs this as an official "event".
I filed this RFE by request of Jeremy Allision, see here:
Fixed by 12cd7ab60a1d2cf891c061652fbcad6f8fed56d1 in master for Samba 4.7.0
Extensive work has been done to add this feature to Samba 4.7:
Two new debug classes, auth_audit and auth_audit_json were added to control logging of text-string and structured JSON authentication and authorization logging.