Among the other messages, there will be a message that begins with “SNISecurity Handshake.” Then, there will be a "handshake failed" or "handshake succeeded" message that indicates failure or success.
In the case of a failure, the client and the server could not negotiate the handshake successfully because they shared no common protocols. Because no other information is available about the client yet (the handshake occurs before the logon happens), only the client's IP address is available.
If the handshake succeeded, information about the handshake protocol is available: the cipher, its strength, the hash used, the hash strength, and the client's IP address. Because the handshake was just completed, no information about the client is yet available except its IP address.
Note This process does not apply to Microsoft SQL Server 2012 because the Trace extended event is not implemented for the SNI layer in that version. For SQL Server 2012, you must use Built-In Diagnostics (BID) traces. For more information, see this Docs article.