diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index e5e2af544..d9e0d9ec0 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2199,10 +2199,13 @@ _kdc_as_rep(astgs_request_t r)
 	goto out;
     }
 
+    if (b->addresses)
+        _kdc_audit_addaddrs((kdc_request_t)r, b->addresses, "reqaddrs");
+
     /* check for valid set of addresses */
     if (!_kdc_check_addresses(r, b->addresses, r->addr)) {
         if (r->config->warn_ticket_addresses) {
-            kdc_log(context, config, 4, "Request from wrong address (ignoring)");
+            _kdc_audit_addkv((kdc_request_t)r, 0, "wrongaddr", "yes");
         } else {
             _kdc_set_e_text(r, "Request from wrong address");
             ret = KRB5KRB_AP_ERR_BADADDR;
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index dda7684d8..eba596188 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1351,9 +1351,11 @@ next_kvno:
 			      &ap_req_options,
 			      ticket,
 			      KRB5_KU_TGS_REQ_AUTH);
+    if (ticket && (*ticket)->ticket.caddr)
+        _kdc_audit_addaddrs((kdc_request_t)r, (*ticket)->ticket.caddr, "tixaddrs");
     if (r->config->warn_ticket_addresses && ret == KRB5KRB_AP_ERR_BADADDR &&
         *ticket != NULL) {
-        kdc_log(context, config, 4, "Request from wrong address (ignoring)");
+        _kdc_audit_addkv((kdc_request_t)r, 0, "wrongaddr", "yes");
         ret = 0;
     }
     if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
@@ -2396,10 +2398,11 @@ server_lookup:
     if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
         if (config->check_ticket_addresses) {
             ret = KRB5KRB_AP_ERR_BADADDR;
+            _kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
             kdc_log(context, config, 4, "Request from wrong address");
             goto out;
         } else if (config->warn_ticket_addresses) {
-            kdc_log(context, config, 4, "Request from wrong address (ignoring)");
+            _kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
         }
     }
 
diff --git a/kdc/process.c b/kdc/process.c
index 3bcc05e66..a2d6f05e6 100644
--- a/kdc/process.c
+++ b/kdc/process.c
@@ -94,6 +94,30 @@ _kdc_audit_addkv_timediff(kdc_request_t r, const char *k,
     heim_audit_addkv_timediff((heim_svc_req_desc)r,k, start, end);
 }
 
+/*
+ * Add up to 3 key value pairs to record HostAddresses from request body or
+ * PA-TGS ticket or whatever.
+ */
+void
+_kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key)
+{
+    size_t i;
+    char buf[128];
+
+    if (a->len > 3) {
+        char numkey[32];
+
+        if (snprintf(numkey, sizeof(numkey), "num%s", key) >= sizeof(numkey))
+            numkey[31] = '\0';
+        _kdc_audit_addkv(r, 0, numkey, "%llu", (unsigned long long)a->len);
+    }
+
+    for (i = 0; i < 3 && i < a->len; i++) {
+        if (krb5_print_address(&a->val[0], buf, sizeof(buf), NULL) == 0)
+            _kdc_audit_addkv(r, 0, key, "%s", buf);
+    }
+}
+
 void
 _kdc_audit_trail(kdc_request_t r, krb5_error_code ret)
 {
diff --git a/tests/kdc/check-bx509.in b/tests/kdc/check-bx509.in
index 081ee9603..dc5a2eba1 100644
--- a/tests/kdc/check-bx509.in
+++ b/tests/kdc/check-bx509.in
@@ -589,7 +589,7 @@ ${kgetcred} -H HTTP/${server}@${R} ||
 KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r ||
     { echo "Trivial offline CA test failed (gss-token)"; exit 2; }
 
-grep 'Request from wrong address .ignoring' ${objdir}/messages.log ||
+grep 'REQ.*wrongaddr' ${objdir}/messages.log ||
     { echo "KDC not warning about requests from wrong address"; exit 2; }
 
 echo "Fetching a Negotiate token"