The final column in WHMCS's logs indicates the IP address of the person taking the action, typically the client or member of staff. You can view this in these logs:

In WHMCS 8.0 and later:

• Configuration > System Logs
• Configuration > System Logs > Admin Log
• Configuration > System Logs > Whois Log

In WHMCS 7.10 and earlier:

• Utilities > Logs > Activity Log
• Utilities > Logs > Admin Log
• Utilities > Logs > Whois Log

If you are seeing the server IP address in the IP Address column instead, the IP address that the server configuration sends to PHP doesn't belong to the visitor performing the action on the webpage.

WHMCS checks the following variables in descending order for an IP address. If the IP address is available and is not a local address, it will use that as the client's IP address on the order form, details, and logs. If none of these are available, WHMCS will return the REMOTE_ADDR as the IP address. This applies to both IPv4 and IPv6 connections.

• HTTP_CLIENT_IP
• HTTP_X_FORWARDED_FOR
• HTTP_X_FORWARDED
• HTTP_X_CLUSTER_CLIENT_IP
• HTTP_FORWARDED_FOR
• HTTP_FORWARDED
• REMOTE_ADDR

If one of these PHP variables is reporting the server's IP address instead of the visitor's IP address, that will be recorded by WHMCS.

This situation most often arises when used with a proxy or forwarding service (such as CloudFlare).

To resolve this situation, you must configure WHMCS to recognize the proxy server's details via the Trusted Proxy settings.

1. Navigate to Configuration > System Settings > General Settings (Setup > General Settings prior to WHMCS 8.0).

2. Click Security.

3. Complete the Proxy IP Header and Trusted Proxies fields for your proxy server's configuration.

4. Click Save Changes.

 The IP address in the log will now correctly reflect the IP address of the admin or client performing an action.

For more information, see Security Tab Trusted Proxies and Trusted Proxy Settings.