-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add client IP address to audit records #127481
Comments
Pinging @elastic/kibana-security (Team:Security) |
When we could expect "source.ip/client.ip" field in kibana's audit log? It's very useful and necessary feature! |
Yes, this is a useful feature indeed! We don't have concrete dates yet, but improving audit log functionality (including this particular issue) is definitely on our roadmap. |
Resolves #127481 ## Release notes Include IP address in audit log ## Testing 1. Update `kibana.dev.yaml`: ```yaml xpack.security.audit.enabled: true xpack.security.audit.appender: type: console layout: type: json ``` 2. Observe audit logs in console when interacting with Kibana: ```json { "@timestamp": "2022-12-13T15:50:42.236+00:00", "message": "User is requesting [/dev/internal/security/me] endpoint", "client": { "ip": "127.0.0.1" }, "http": { "request": { "headers": { "x-forwarded-for": "1.1.1.1, 127.0.0.1" } } } } ``` Note: You will see the `x-forwarded-for` field populated when running Kibana in development mode (`yarn start`) since Kibana runs behind a development proxy. Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Follow up to #147526 which had to be reverted. Resolves #127481 ## Release notes Include IP address in audit log ## Testing 1. Start Elasticsearch with trial license: `yarn es snapshot --license trial` 2. Update `kibana.dev.yaml`: ```yaml xpack.security.audit.enabled: true xpack.security.audit.appender: type: console layout: type: json ``` 3. Observe audit logs in console when interacting with Kibana: ```json { "@timestamp": "2022-12-13T15:50:42.236+00:00", "message": "User is requesting [/dev/internal/security/me] endpoint", "client": { "ip": "127.0.0.1" }, "http": { "request": { "headers": { "x-forwarded-for": "1.1.1.1, 127.0.0.1" } } } } ``` Note: You will see the `x-forwarded-for` field populated when running Kibana in development mode (`yarn start`) since Kibana runs behind a development proxy. Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Kibana's audit logs do not currently include the client IP address. We should add this as the
client.ip
field in the audit event.Larry edit: We'll need to make sure to account for headers such as x-forwarded-for in a secure and reliable manner. In other words, we want to make sure we can get the actual client IP, even if we are behind one or more proxies. But we don't want to blindly trust request headers, either.
Blocked by: #147079
The text was updated successfully, but these errors were encountered: