We have a self hosted JIRA install. On the admin page I noticed failed login attempts for a user who's left the company and had his account disabled:
Last Failed Login: Today 6:05 PM
Current Failed Login Count: 8
Total Failed Login Count: 11
How I can I see what IP these attempts came from?
I read this question: https://answers.atlassian.com/questions/203776
And it said:
You can view the information from the user sessions under the Security on the JIRA Administration page.
From there you are able to tell who is trying to establish the session and which session is still active. Failed session will have no session ID and no user, but it will track which ip is the request from.
When I went there I saw a session that had a session ID, and under user it said 'Not available' But there were no entries with no session ID.
A small perl script that extracts failing usernames and IPs from atlassian-jira-security.log:
cat $JIRA_HOME/atlassian-jira-security.log | perl -lane "print \$1 . ' ' . \$F if (/The user '([^']+)' has FAILED authentication/)"
To get the top failing username/IPs:
cat $JIRA_HOME/atlassian-jira-security.log | perl -lane "print \$1 . ' ' . \$F if (/The user '([^']+)' has FAILED authentication/)"| sort | uniq -c | sort -nr | head
4546 jsmith 10.1.1.104
4332 seportal 10.1.1.99
148 testsvc 10.1.1.102
Hello friends! From the community that brought you Welcome Wednesday, Throwback Thursday and Friday Fun, welcome to Taco Tuesday, a weekly discussion about all things Trello. The best part? One Tac...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events