Misleading audit event message `User access unlocked`
On a GitLab v17.5.1-ee instance, I'm seeing User access unlocked messages event though the user did not explicitly used the Unlock link it received by mail and the message mentions an IP address that do not belongs to this user :
| Author | Object | Action | Target | IP Address | Date |
|---|---|---|---|---|---|
| ... | ... | ... | ... | ... | ... |
| john.doe@example.net (removed) | gitlab_instance | Failed to login with STANDARD authentication | john.doe@example.net | x.x.227.132 | 2024-10-31 08:25:50 GMT+0100 |
| John | john.doe | User access unlocked | John | x.x.227.132 | 2024-10-31 08:25:49 GMT+0100 |
| ... | ... | ... | ... | ... | ... |
| john.doe (removed) | gitlab_instance | Failed to login with STANDARD authentication | john.doe | x.x.246.163 | 2024-10-30 22:47:41 GMT+0100 |
| GitLab Admin Bot | john.doe | User access locked - excessive failed login attempts | John | x.x.246.163 | 2024-10-30 22:47:41 GMT+0100 |
| ... | ... | ... | ... | ... | ... |
I guess the "unlock" message is triggered on the next authentication failure (that occurs after the 10 minutes automatic unlock).
If this is the case, I think the message should not mention the user as the Author but instead mention GitLab Admin Bot (like in the User access locked message) with a more detailed message (e.g. User access automatically unlocked):
| Author | Object | Action | Target | IP Address | Date |
|---|---|---|---|---|---|
| GitLab Admin Bot | john.doe | User access automatically unlocked | John | x.x.227.132 | 2024-10-31 08:25:49 GMT+0100 |