Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add client IP address to audit records #127481

Closed
jportner opened this issue Mar 10, 2022 · 3 comments · Fixed by #147526 or #148055
Closed

Add client IP address to audit records #127481

jportner opened this issue Mar 10, 2022 · 3 comments · Fixed by #147526 or #148055
Labels
enhancement New value added to drive a business result Feature:Security/Audit Platform Security - Audit Logging feature good first issue low hanging fruit loe:needs-research This issue requires some research before it can be worked on or estimated Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@jportner
Copy link
Contributor

jportner commented Mar 10, 2022

Kibana's audit logs do not currently include the client IP address. We should add this as the client.ip field in the audit event.

Larry edit: We'll need to make sure to account for headers such as x-forwarded-for in a secure and reliable manner. In other words, we want to make sure we can get the actual client IP, even if we are behind one or more proxies. But we don't want to blindly trust request headers, either.

Blocked by: #147079

@jportner jportner added good first issue low hanging fruit Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Security/Audit Platform Security - Audit Logging feature labels Mar 10, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego legrego added the loe:needs-research This issue requires some research before it can be worked on or estimated label Mar 10, 2022
@jportner jportner mentioned this issue Mar 10, 2022
12 tasks
@yvbondarenko
Copy link

When we could expect "source.ip/client.ip" field in kibana's audit log? It's very useful and necessary feature!

@azasypkin
Copy link
Member

When we could expect "source.ip/client.ip" field in kibana's audit log? It's very useful and necessary feature!

Yes, this is a useful feature indeed! We don't have concrete dates yet, but improving audit log functionality (including this particular issue) is definitely on our roadmap.

thomheymann added a commit that referenced this issue Dec 16, 2022
Resolves #127481

## Release notes

Include IP address in audit log

## Testing

1. Update `kibana.dev.yaml`:

```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: console
  layout:
    type: json
```

2. Observe audit logs in console when interacting with Kibana:

```json
{
  "@timestamp": "2022-12-13T15:50:42.236+00:00",
  "message": "User is requesting [/dev/internal/security/me] endpoint",
  "client": {
    "ip": "127.0.0.1"
  },
  "http": {
    "request": {
      "headers": {
        "x-forwarded-for": "1.1.1.1, 127.0.0.1"
      }
    }
  }
}
```

Note: You will see the `x-forwarded-for` field populated when running
Kibana in development mode (`yarn start`) since Kibana runs behind a
development proxy.

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
@exalate-issue-sync exalate-issue-sync bot reopened this Dec 19, 2022
thomheymann added a commit that referenced this issue Jan 3, 2023
Follow up to #147526 which had to be reverted.

Resolves #127481

## Release notes

Include IP address in audit log

## Testing

1. Start Elasticsearch with trial license: `yarn es snapshot --license
trial`
2. Update `kibana.dev.yaml`:

```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: console
  layout:
    type: json
```

3. Observe audit logs in console when interacting with Kibana:

```json
{
  "@timestamp": "2022-12-13T15:50:42.236+00:00",
  "message": "User is requesting [/dev/internal/security/me] endpoint",
  "client": {
    "ip": "127.0.0.1"
  },
  "http": {
    "request": {
      "headers": {
        "x-forwarded-for": "1.1.1.1, 127.0.0.1"
      }
    }
  }
}
```

Note: You will see the `x-forwarded-for` field populated when running
Kibana in development mode (`yarn start`) since Kibana runs behind a
development proxy.

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Feature:Security/Audit Platform Security - Audit Logging feature good first issue low hanging fruit loe:needs-research This issue requires some research before it can be worked on or estimated Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
6 participants