on a zimbra 5.0.9 OSS edition, i found this strange behavior in audit.log:
2010-02-09 05:20:42,076 WARN [btpool0-19491] [ip=xxx.xxx.xxx.xxx;ua=ZimbraWebClient - IE6 (Win)/5.0.9_GA_2533.RHEL4;] security - cmd=Auth; firstname.lastname@example.org
2010-02-09 06:37:37,966 INFO [btpool0-19470] [oip=xxx.xxx.xxx.xxx;ua=zclient/5.0.9_GA_2533.RHEL4;] security - cmd=Auth; email@example.com
both log are for same account, thus i'm wondering :
1) what's the difference between "ip" and "oip" ?
2) what's the difference between zclient and ZimbraWebClient?
I found most of webclient login will be logged as "zclient". any idea why "ZimbraWebClient" is there?
3) why login via "ZimbraWebClient" is marked as WARN? while login via "zclient" is marked as INFO?