diff --git a/authenticate/middleware.go b/authenticate/middleware.go
index e7e4c95b8..77328ebb0 100644
--- a/authenticate/middleware.go
+++ b/authenticate/middleware.go
@@ -1,6 +1,7 @@
 package authenticate
 
 import (
+	"context"
 	"net/http"
 	"net/url"
 
@@ -61,7 +62,8 @@ func (a *Authenticate) logAuthenticateEvent(r *http.Request, profile *identity.P
 		log.Warn(ctx).Err(err).Msg("log authenticate event: failed to decrypt request params")
 	}
 
-	evt := log.Info(ctx).
+	evt := log.Info(context.Background()).
+		Str("ip", httputil.GetClientIP(r)).
 		Str("pomerium_version", params.Get(urlutil.QueryVersion)).
 		Str("pomerium_request_uuid", params.Get(urlutil.QueryRequestUUID)).
 		Str("pomerium_pub", pub.String())
diff --git a/internal/httputil/ip.go b/internal/httputil/ip.go
new file mode 100644
index 000000000..9f93cf8e7
--- /dev/null
+++ b/internal/httputil/ip.go
@@ -0,0 +1,14 @@
+package httputil
+
+import (
+	"net/http"
+	"strings"
+)
+
+// GetClientIP returns the client IP address from the request.
+func GetClientIP(r *http.Request) string {
+	if clientIP := r.Header.Get("X-Forwarded-For"); clientIP != "" {
+		return strings.Split(clientIP, ",")[0]
+	}
+	return strings.Split(r.RemoteAddr, ":")[0]
+}