We are running ZCS v6.0.13 open source edition. We have one particular user who has his account logged out on an increasingly regular basis. Looking through the audit logs I see a SOAP request for his account, but it has an IP of our Zimbra server which means I can't trace the source.

Can anyone suggest any other means of tracing the source of these login attempts? I have tried packet capture, but the amount of traffic makes it difficult and time consuming to trawl through.

Kind regards,