Audits Logs: Random login failures from the server's public IP?

General discussion about Zimbra Desktop.
AndrewN
Posts: 13
Joined: Mon Sep 15, 2014 3:27 pm

Audits Logs: Random login failures from the server's public IP?

Postby AndrewN » Mon Jan 26, 2015 9:40 am

Hello All,


While doing some digging into logs to ID who is attempting to access an account, I've run in to a small hiccup...  Failed logins to the user interface will show the original IP (oip=) in audit.log, but admin logins show as if it came from the server?


I've included a snipped from my logs below:  The top line shows when one of my staff logged in to his regular email a few minutes ago, the bottom shows when someone tried to access the admin panel.  I've replaced my server's IP with 1.2.3.4, and the public IP with 5.6.7.8.


As you can see, both lines are relatively similar except for the fact that the second doesn't show the originating IP.  Is this intended, or a bug, or a misconfiguration?  Thanks!


2015-01-26 09:17:16,281 WARN  [qtp123456789-26591:http://127.0.0.1:80/service/soap/AuthRequest] [name=johnny.admin@example.net;oip=5.6.7.8;ua=zclient/8.5.0_GA_3042;] security - cmd=Auth; account=johnny.admin@example.net; protocol=soap; error=authentication failed for [johnny.admin@example.net], invalid password;

2015-01-26 08:30:33,020 WARN [qtp123456789-24680:https://1.2.3.4:7071/service/admin/soap/] [name=jane.doe@example.net;ip=1.2.3.4;] security - cmd=Auth; account=jane.doe@example.net; protocol=soap; error=authentication failed for [jane.doe@example.net], invalid password;


AndrewN
Posts: 13
Joined: Mon Sep 15, 2014 3:27 pm

Audits Logs: Random login failures from the server's public IP?

Postby AndrewN » Thu Jan 29, 2015 4:49 pm

Just had another wave of these today that kicked a user out for invalid logins. A wave of 10 or so of the same entry with different timetsamps. All were failures involving https://<server IP>:7070/service/admin/soap. The user kicked out was actively in his mailbox at the time he was kicked out, because of these failures.

Return to “General Questions”

Who is online

Users browsing this forum: No registered users and 2 guests