BES Root audit log & src IP

I’m getting hits like this in my BES Root server_audit.log file (almost 2 /second)

Mon, 06 Feb 2017 12:51:22 -0600 -- Web Reports Audit Message -- Mon, 06 Feb 2017 12:51:20 -0600 -- ENVIRONMENT -- user "domain\acct" has logged into Web Reports

I cannot find any mass correlating events in either the BES Root .log file, or when I enable WebReports logging.

How can I find the source IP of this connection to WebReports? This is actually occurring on 4 Bigfix environment root servers. The weird thing is that the domain user account listed in the log doesn’t have an account in WR or Console in 1 of those environments.

looking at it some more, the “ENVIRONMENT” datasource identifier recorded in the log is used only on a BigFix WebReports instance we use that pulls from all 4 datasources. But why would a domain AD account that is hitting a WR instance be recored in the audit log of a different Root server?

I removed the Domain user’s LDAP user account in WebReports (removed attached roles). As soon as I did that, this showed up in the other BigFix enviornments’s root server audit log:

Mon, 06 Feb 2017 15:56:21 -0600 -- Web Reports Audit Message -- Mon, 06 Feb 2017 15:56:21 -0600 -- ENVIRONMENT -- user has failed to log into Web Reports.

I re-added the role back and then the original logs appeared again…

Mon, 06 Feb 2017 15:56:25 -0600 – Web Reports Audit Message – Mon, 06 Feb 2017 15:56:25 -0600 – ENVIRONMENT – user “domain\acct” has logged into Web Reports