Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include client IP address in audit log #147526

Merged
merged 3 commits into from
Dec 16, 2022

Conversation

thomheymann
Copy link
Contributor

@thomheymann thomheymann commented Dec 14, 2022

Resolves #127481

Release notes

Include IP address in audit log

Testing

  1. Update kibana.dev.yaml:
xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: console
  layout:
    type: json
  1. Observe audit logs in console when interacting with Kibana:
{
  "@timestamp": "2022-12-13T15:50:42.236+00:00",
  "message": "User is requesting [/dev/internal/security/me] endpoint",
  "client": {
    "ip": "127.0.0.1"
  },
  "http": {
    "request": {
      "headers": {
        "x-forwarded-for": "1.1.1.1, 127.0.0.1"
      }
    }
  }
}

Note: You will see the x-forwarded-for field populated when running Kibana in development mode (yarn start) since Kibana runs behind a development proxy.

@github-actions
Copy link
Contributor

Documentation preview:

@thomheymann thomheymann added Feature:Security/Audit Platform Security - Audit Logging feature v8.7.0 backport:skip This commit does not require backporting Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! release_note:enhancement labels Dec 14, 2022
@thomheymann thomheymann marked this pull request as ready for review December 14, 2022 16:06
@thomheymann thomheymann requested review from a team as code owners December 14, 2022 16:06
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

Copy link
Contributor

@pgayvallet pgayvallet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for Core changes

Copy link
Contributor

@jeramysoucy jeramysoucy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thomheymann
Copy link
Contributor Author

@gchaps Are you happy with the documentation changes?

Copy link
Contributor

@gchaps gchaps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with one minor suggestion.

docs/user/security/audit-logging.asciidoc Outdated Show resolved Hide resolved
thomheymann and others added 2 commits December 16, 2022 21:54
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
@thomheymann thomheymann enabled auto-merge (squash) December 16, 2022 22:03
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
security 91 92 +1

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id before after diff
security 1 3 +2
Unknown metric groups

API count

id before after diff
@kbn/core-http-server 392 393 +1
core 2808 2809 +1
security 251 252 +1
total +3

ESLint disabled in files

id before after diff
osquery 1 2 +1

ESLint disabled line counts

id before after diff
enterpriseSearch 19 21 +2
fleet 61 67 +6
osquery 109 115 +6
securitySolution 439 445 +6
total +20

Total ESLint disabled count

id before after diff
enterpriseSearch 20 22 +2
fleet 70 76 +6
osquery 110 117 +7
securitySolution 516 522 +6
total +21

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@thomheymann thomheymann merged commit a02c7dc into elastic:main Dec 16, 2022
thomheymann added a commit that referenced this pull request Dec 19, 2022
thomheymann added a commit that referenced this pull request Dec 19, 2022
Reverts #147526

Reverting due to errors when using `FakeRequest`:

```
TypeError: Cannot read properties of undefined (reading 'remoteAddress')
    at KibanaSocket.get remoteAddress [as remoteAddress] (/Users/shahzad-16/elastic/kibana/node_modules/@kbn/core-http-router-server-internal/target_node/src/socket.js:25:24)
    at Object.log (/Users/shahzad-16/elastic/kibana/x-pack/plugins/security/server/audit/audit_service.ts:95:32)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

Terminating process...
 server crashed  with status code 1
```
thomheymann added a commit that referenced this pull request Jan 3, 2023
Follow up to #147526 which had to be reverted.

Resolves #127481

## Release notes

Include IP address in audit log

## Testing

1. Start Elasticsearch with trial license: `yarn es snapshot --license
trial`
2. Update `kibana.dev.yaml`:

```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: console
  layout:
    type: json
```

3. Observe audit logs in console when interacting with Kibana:

```json
{
  "@timestamp": "2022-12-13T15:50:42.236+00:00",
  "message": "User is requesting [/dev/internal/security/me] endpoint",
  "client": {
    "ip": "127.0.0.1"
  },
  "http": {
    "request": {
      "headers": {
        "x-forwarded-for": "1.1.1.1, 127.0.0.1"
      }
    }
  }
}
```

Note: You will see the `x-forwarded-for` field populated when running
Kibana in development mode (`yarn start`) since Kibana runs behind a
development proxy.

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting Feature:Security/Audit Platform Security - Audit Logging feature release_note:enhancement Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.7.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add client IP address to audit records
6 participants