While doing some digging into logs to ID who is attempting to access an account, I've run in to a small hiccup... Failed logins to the user interface will show the original IP (oip=) in audit.log, but admin logins show as if it came from the server?
I've included a snipped from my logs below: The top line shows when one of my staff logged in to his regular email a few minutes ago, the bottom shows when someone tried to access the admin panel. I've replaced my server's IP with 184.108.40.206, and the public IP with 220.127.116.11.
As you can see, both lines are relatively similar except for the fact that the second doesn't show the originating IP. Is this intended, or a bug, or a misconfiguration? Thanks!
2015-01-26 09:17:16,281 WARN [qtp123456789-26591:http://127.0.0.1:80/service/soap/AuthRequest] [firstname.lastname@example.org;oip=18.104.22.168;ua=zclient/8.5.0_GA_3042;] security - cmd=Auth; email@example.com; protocol=soap; error=authentication failed for [firstname.lastname@example.org], invalid password;
2015-01-26 08:30:33,020 WARN [qtp123456789-24680:https://22.214.171.124:7071/service/admin/soap/] [email@example.com;ip=126.96.36.199;] security - cmd=Auth; firstname.lastname@example.org; protocol=soap; error=authentication failed for [email@example.com], invalid password;