on a zimbra 5.0.9 OSS edition, i found this strange behavior in audit.log:
2010-02-09 05:20:42,076 WARN [btpool0-19491] [ip=xxx.xxx.xxx.xxx;ua=ZimbraWebClient - IE6 (Win)/5.0.9_GA_2533.RHEL4;] security - cmd=Auth; email@example.com
2010-02-09 06:37:37,966 INFO [btpool0-19470] [oip=xxx.xxx.xxx.xxx;ua=zclient/5.0.9_GA_2533.RHEL4;] security - cmd=Auth; firstname.lastname@example.org
both log are for same account, thus i'm wondering :
1) what's the difference between "ip" and "oip" ?
2) what's the difference between zclient and ZimbraWebClient?
I found most of webclient login will be logged as "zclient". any idea why "ZimbraWebClient" is there?
3) why login via "ZimbraWebClient" is marked as WARN? while login via "zclient" is marked as INFO?