Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to find IP of failed login attempts

LarryMartell
LarryMartell April 18, 2016

We have a self hosted JIRA install. On the admin page I noticed failed login attempts for a user who's left the company and had his account disabled:

Last Failed Login: Today 6:05 PM
Current Failed Login Count: 8
Total Failed Login Count: 11

How I can I see what IP these attempts came from? 

I read this question: https://answers.atlassian.com/questions/203776

And it said: 

You can view the information from the user sessions under the Security on the JIRA Administration page.

From there you are able to tell who is trying to establish the session and which session is still active. Failed session will have no session ID and no user, but it will track which ip is the request from.

When I went there I saw a session that had a session ID, and under user it said 'Not available' But there were no entries with no session ID. 

Answer
Watch
Like Bhushan Nagaraj likes this
2795 views

1 answer

3 votes
Bhushan Nagaraj
Bhushan Nagaraj
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 18, 2016

Hey Larry,

Go to JIRA_HOME/log/atlassian-jira-security.log and search for the text

The user '<insert username here>' has FAILED authentication

That should give you the IP address

View More Comments
Jeff Turner
Jeff Turner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 19, 2019

A small perl script that extracts failing usernames and IPs from atlassian-jira-security.log:

cat $JIRA_HOME/atlassian-jira-security.log | perl -lane "print \$1 . ' ' . \$F[6] if (/The user '([^']+)' has FAILED authentication/)"
jsmith 10.1.1.104
jsmith 10.1.1.104
testsvc 10.1.1.102
...

To get the top failing username/IPs:

cat $JIRA_HOME/atlassian-jira-security.log | perl -lane "print \$1 . ' ' . \$F[6] if (/The user '([^']+)' has FAILED authentication/)"| sort | uniq -c | sort -nr | head

4546  jsmith 10.1.1.104
4332  seportal 10.1.1.99
148   testsvc 10.1.1.102
...
Like Maxim Kuznetsov likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events