[asterisk-users] ID'ing failed auth IPs

[Hose]

So when someone's brute forcing your server is there a way to identify
the originating IPs without using a tcpdump?  When I get a failed auth
on the console it shows 'account at asteriskserver' then tag=as25ca5023 (or
some random string, though it's a bit odd as alwaysauthreject = yes is
on in sip.conf).  Anyway, the logs don't show anything more useful
either.  Is there something obvious I'm missing?  Cranking up verbosity
on the console doesn't seem to do anything.

hose