Just an update, setting the option “Override Authorization Clients” to “0.0.0.0/0” changes the Audit log IP to the load balancer, in front of HA Proxy (10.123.128.15).
I managed the issue by disabling the “forwardfor” option in HA Proxy, so the “X-Forwarded-For” header only contains one IP (the public one sent by the cloud load balancer). privacyIDEA audit logs capture the last IP from the “X-Forwarded-For” header. The “X-Forwarded-For” header can have more than one address if there is more than one reverse proxy. I believe this issue is more focused on infrastructure than privacyIDEA itself.