Why so many ChallengeSent events for all AccountIDs?

I am seeing over 20,000 pairs of ChallengeSent / SuccessfulAuth event pairs in the security log:

[2018-07-18 15:59:30.147] SECURITY[16273] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“2018-07-18T15:59:30.146+0100”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“accountxxx”,SessionID=“xxxxxx”,LocalAddress=“IPV4/UDP/xxx.xxx.xxx.xxx/5060”,RemoteAddress=“IPV4/UDP/xxx.xxx.xxx.xxx/51677”,Challenge=“xxxxxxx”
[2018-07-18 15:59:30.173] SECURITY[16273] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-07-18T15:59:30.173+0100”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“accountxxx”,SessionID=“xxxxxx”,LocalAddress=“IPV4/UDP/xxx.xxx.xxx.xxx/5060”,RemoteAddress=“IPV4/UDP/xxx.xxx.xxx.xxx/51677”,UsingPassword=“1”

There is at least 1 per minute for each AccountID.
The SIP service seems to be asking each AccountID to authenticate every minute.
Is it expected behaviour or is it a problem with the clients on the devices? Most clients are using Zoiper.

Server is Asterisk 12.3

Any clarification greatly appreciated.

Asterisk would be challenging for authentication on inoming requests. You would need to look at the SIP traffic to see what exactly is going on.

How do I look at the SIP traffic?

The “sip set debug on” will cause SIP traffic to go to the console, or the wireshark program can be used to capture traffic.