Authentication failure without IP in the logs

SYSTEM INFORMATION
Debian Linux 11 REQUIRED
Virtualmin 7.5 REQUIRED

Hey people, recently I’ve found in auth.log a lot of these entries without an IP, if anyone could shed some light on it or help me get an IP into the logs would be mostly appreciated.
These are the typical entries:

Mar 6 06:31:45 perl: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Mar 6 21:01:01 perl: pam_unix(usermin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root

is this after a reboot or restart of webmin?

Hey, yes! I just noticed! that line was after a reboot at 6:30 and all of these are after a reboot, the usermin:auth line wasn’t and there are many (but way fewer) at random times

EDIT: I just tracked the timestamps and run some tests and it turns out the usermin:auth authentication failures are just regular accesses to usermin directly from virtuamin without going through user login, hence the false positive, I guess the system won’t log it’s own IP, so I think they are all false positives, hard to guess without an IP though :joy:

Thanks for the clue Stefan!

Googling perl: pam_unix(webmin:auth): helped. They talked about after a restart.