How to identify where an account is attempting to login to Jira from

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

There may be instances in which it can be helpful to understand where a specific user is attempting to login from.  For example, if a service account is running multiple processes on different machines and that account's password changes it may be necessary to track down which processes still have the old password.  Automated processes attempting to use an old password may lock out the user account.  

Environment

Jira 8.20 and higher

Solution

Within the atlassian-jira-security.log file, we can observe login attempts such as what is seen below:

1 2023-03-14 18:42:45,648+0000 http-nio-8080-exec-116 url: /rest/api/latest/myself anonymous 1122x72341024x9 - xxx.xx.xxx.xx,127.0.0.1 /rest/api/latest/myself The user '<username>' is required to answer a CAPTCHA elevated security check. Failure count equals 11

In the case above the login is already failing and the user is being presented with a captcha challenge.  This may prevent APIs from functioning for example since they are unable to complete captcha challenges.  

The xxx.xx.xxx.xx will be the IP address for the machine that is sending the request to the Jira server. 

  • If there is no reverse proxy, the IP address should be that of the machine that is running the API or sending the request. 

  • If there is a reverse proxy, the IP address may be that of the proxy server if theX-Forwarded-Forheader is not implemented at the proxy level.  If X-Forwarded-For is not implemented, then the proxy access logs may need to be reviewed to determine the original IP address of the request.  

Updated on March 18, 2025
Platform
Data Center only
Products
Jira Software Data Center
Jira Core Data Center
Jira Service Management Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community