Page 1 of 1

Audits Logs: Random login failures from the server's public IP?

Posted: Mon Jan 26, 2015 9:40 am
by AndrewN

Hello All,


While doing some digging into logs to ID who is attempting to access an account, I've run in to a small hiccup...  Failed logins to the user interface will show the original IP (oip=) in audit.log, but admin logins show as if it came from the server?


I've included a snipped from my logs below:  The top line shows when one of my staff logged in to his regular email a few minutes ago, the bottom shows when someone tried to access the admin panel.  I've replaced my server's IP with 1.2.3.4, and the public IP with 5.6.7.8.


As you can see, both lines are relatively similar except for the fact that the second doesn't show the originating IP.  Is this intended, or a bug, or a misconfiguration?  Thanks!


2015-01-26 09:17:16,281 WARN  [qtp123456789-26591:http://127.0.0.1:80/service/soap/AuthRequest] [name=johnny.admin@example.net;oip=5.6.7.8;ua=zclient/8.5.0_GA_3042;] security - cmd=Auth; account=johnny.admin@example.net; protocol=soap; error=authentication failed for [johnny.admin@example.net], invalid password;

2015-01-26 08:30:33,020 WARN [qtp123456789-24680:https://1.2.3.4:7071/service/admin/soap/] [name=jane.doe@example.net;ip=1.2.3.4;] security - cmd=Auth; account=jane.doe@example.net; protocol=soap; error=authentication failed for [jane.doe@example.net], invalid password;

Audits Logs: Random login failures from the server's public IP?

Posted: Thu Jan 29, 2015 4:49 pm
by AndrewN
Just had another wave of these today that kicked a user out for invalid logins. A wave of 10 or so of the same entry with different timetsamps. All were failures involving https://<server IP>:7070/service/admin/soap. The user kicked out was actively in his mailbox at the time he was kicked out, because of these failures.