Hi Patrick,
The reason it shows 127.0.0.1 is probably you are using a on-premise setup with IIS or something in front of the mendix application. Since that if forwaring the request to mendix, it is coming from localhost. So you have to look at the (ipv6) address after the "X-Forwarded-For" parameter. That shows were the original request came from. If that address is not known to you, you might have a brute-force attack or something ongoing.