• The windows event usually shows an IP address that the request came from. I usually start there.

    Do a tracert on the ip and see where it's coming from.

    From there it kinda depends on what you find out about the machine making the attempt.

    If it's interenal you can run something like this to see if maybe someone's running an app or a bad crystal report that's requesting way too many privileges.

    WMIC /Node:COMPUTERTOFIND ComputerSystem Get Username

    Just replace COMPUTERTOFIND with the computer name and it will tell you who's currently logged in there so you can go over to their desk and tell them to stop.

    If that doesn't resolve it you can run Netstat at an interval through the day and log the tcp connections that come in.

    http://technet.microsoft.com/en-us/library/bb490947.aspx

    Or when all else fails or you're really wanting to log and investigate everything at the packet level download Wireshark.

    http://www.wireshark.org/