First of all, congratulations for your web site; it is excellent from the technical and marketing point of view.
We work with Arcsight wich is a SEM and the connector that obtains the logs from the DC (W2K3) gives us events 680 with the same source and destination IP, that is, the IP address of the Domain Controller.
This generates a lot of noise in a system with too much NTLM authentication because Arcsight correlates "Brute Force Attacks" based on source and IP address (must be the same for the different events).
Why authentication events (680) would have the source IP address of the Domain Controller itself?
This is something that I am not able to find out.
Thanks you very much in advance.
P.D. I have seen your webinar of Authentication vs Logon: really interesting.
Do you have "audit logon events" enabled? (not to be confused with "Audit account logon events")
If so you should be getting event ID 528 or 540. Can you post some santized examples of your 680, 528, 540s? Pay attention to the Logon Type in 528/540.