To find out the IP address of the client that sends requests to WebSphere, you can enable the NCSA access log. This log provides IP address, request URL with status code:

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-dist&topic=utrb_httperrlogs
                                                                        
http_access.log will be created in the same directory as systemOut.log.
                                                                        
If you have IHS/plugin infront of WebSphere, you can take a look at the access_log the IHS logs directory. It provides similar details as the http_access.log.

A sample output from a 401 environment. IHS on a different Linux box than WAS. The use case is trying to log in to jts/admin using web UI (Firefox). A failed login shows the following errors:

SystemOut.log:
[6/21/13 12:06:45:195 EDT] 00000028 FormLoginExte E   SECJ0118E: Authentication error during authentication for user wasadmin

IHS access_log:
9.26.41.229 - - [21/Jun/2013:12:06:42 -0400] "POST /jts/authenticated/j_security_check HTTP/1.1" 302 -
9.26.41.229 - - [21/Jun/2013:12:06:43 -0400] "GET /jts/auth/authfailed HTTP/1.1" 200 1197
9.26.41.229 - - [21/Jun/2013:12:06:43 -0400] "GET /jts/_theming/resource/html/loginFooter.html HTTP/1.1" 200 -

A successful login shows up as the following in IHS access_log:
9.26.41.229 - - [21/Jun/2013:11:58:44 -0400] "POST /jts/authenticated/j_security_check HTTP/1.1" 302 -
9.26.41.229 - - [21/Jun/2013:11:58:45 -0400] "GET /jts/authenticated/identity HTTP/1.1" 200 112
9.26.41.229 - - [21/Jun/2013:11:58:45 -0400] "GET /jts/authenticated/identity HTTP/1.1" 200 112

"POST /jts/authenticated/j_security_check" is when the request for authentication is submitted.