Microsoft
MicrosoftHi swhitestrath - Yes - Most likely the computers in the "Workstation Name" have a registry value less than 3 for HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
If capacity to collect the security logs from your member server is an issue. You shoud be able to scope down forwarding to just the 4624 events with Package Name = NTLMv1.
You are correct about the 4624 events on the DC representing direct authentications between client and the DC. When a member server passes an authentication the DC for validation, the DC will log a 4776 and the 4624 will be logged on the member server.
Disabling the use of NTLMv1 with doman credentials is enforced by configuring the DCs to level 5. Any NTLMv1 authentication using domain accounts will be treated as a failed attempt once the DC is at level 5. That is true if the client was authenticating directly to the DC or to a member server. As a result you want to identitfy all NTLMv1 authentications in the domain prior to to configuring the DCs to level 5.