The SSL security layer is enabled for the Windows 2012 remote desktop service. That is why the security log cannot record the source IP address and username of logon failure. Therefore, the brute-force attack blocking function of Server Guard cannot obtain the username of the visitor. However, you can use manual analysis to obtain the username of logon failure.
To manually obtain the username of logon failure in Windows 2012, Audit logon events must be enabled.
Go to Control Panel > System and Security > Administrative Tools > Event Viewer, and select Windows Logs > Properties to check if the logging function is enabled.
Go to Control Panel > System and Security > Administrative Tools > Local Security Policy, and select Local Policies > Audit Policy to enable Audit logon events.
In Server Guard > Intrusion Detection > Brute-force Logon, the UserName is recorded as N/A in the record. Follow these steps to obtain the username of logon failure:
Log on to the Server Guard console, and go to the Assets page.
Find the target server, click the alarm number under its Abnormal Logon menu.
Find the alarm record for the brute-force logon, and check its Time logged in. The UserName of this record is N/A.
Log on to the Windows 2012 server, go to Control Panel > System and Security > Administrative Tools > Event Viewer, and select Windows Log > Security.
Search the detailed log when Server Guard prompts the brute-force attack logon. You can use Audit failure as the Keywords, and the Task Category is Logon.
Check the failure cause in the General view. From the Unknown username or password error section, you can find the username of the logon failure.