Here's something that I've recently had my nose smacked with: Every place where users can authenticate over the network to your systems should log successful authentications, including the source IP address. Every place. No exceptions. And all of the pieces (minimally user name, remote IP, and time) should be logged explicitly in one place; you should not have to piece together this information by