Add client IP address to audit records #127481
Labels
enhancement
New value added to drive a business result
Feature:Security/Audit
Platform Security - Audit Logging feature
good first issue
low hanging fruit
loe:needs-research
This issue requires some research before it can be worked on or estimated
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
jportner
added
good first issue
|
Pinging @elastic/kibana-security (Team:Security) |
legrego
added
the
loe:needs-research
|
When we could expect "source.ip/client.ip" field in kibana's audit log? It's very useful and necessary feature! |
Yes, this is a useful feature indeed! We don't have concrete dates yet, but improving audit log functionality (including this particular issue) is definitely on our roadmap. |
thomheymann
added a commit
that referenced
this issue
Dec 16, 2022
Resolves #127481 ## Release notes Include IP address in audit log ## Testing 1. Update `kibana.dev.yaml`: ```yaml xpack.security.audit.enabled: true xpack.security.audit.appender: type: console layout: type: json ``` 2. Observe audit logs in console when interacting with Kibana: ```json { "@timestamp": "2022-12-13T15:50:42.236+00:00", "message": "User is requesting [/dev/internal/security/me] endpoint", "client": { "ip": "127.0.0.1" }, "http": { "request": { "headers": { "x-forwarded-for": "1.1.1.1, 127.0.0.1" } } } } ``` Note: You will see the `x-forwarded-for` field populated when running Kibana in development mode (`yarn start`) since Kibana runs behind a development proxy. Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
crespocarlos
pushed a commit
to crespocarlos/kibana
that referenced
this issue
Dec 23, 2022
Resolves elastic#127481 ## Release notes Include IP address in audit log ## Testing 1. Update `kibana.dev.yaml`: ```yaml xpack.security.audit.enabled: true xpack.security.audit.appender: type: console layout: type: json ``` 2. Observe audit logs in console when interacting with Kibana: ```json { "@timestamp": "2022-12-13T15:50:42.236+00:00", "message": "User is requesting [/dev/internal/security/me] endpoint", "client": { "ip": "127.0.0.1" }, "http": { "request": { "headers": { "x-forwarded-for": "1.1.1.1, 127.0.0.1" } } } } ``` Note: You will see the `x-forwarded-for` field populated when running Kibana in development mode (`yarn start`) since Kibana runs behind a development proxy. Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
thomheymann
added a commit
that referenced
this issue
Jan 3, 2023
Follow up to #147526 which had to be reverted. Resolves #127481 ## Release notes Include IP address in audit log ## Testing 1. Start Elasticsearch with trial license: `yarn es snapshot --license trial` 2. Update `kibana.dev.yaml`: ```yaml xpack.security.audit.enabled: true xpack.security.audit.appender: type: console layout: type: json ``` 3. Observe audit logs in console when interacting with Kibana: ```json { "@timestamp": "2022-12-13T15:50:42.236+00:00", "message": "User is requesting [/dev/internal/security/me] endpoint", "client": { "ip": "127.0.0.1" }, "http": { "request": { "headers": { "x-forwarded-for": "1.1.1.1, 127.0.0.1" } } } } ``` Note: You will see the `x-forwarded-for` field populated when running Kibana in development mode (`yarn start`) since Kibana runs behind a development proxy. Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kibana's audit logs do not currently include the client IP address. We should add this as the
client.ipfield in the audit event.Larry edit: We'll need to make sure to account for headers such as x-forwarded-for in a secure and reliable manner. In other words, we want to make sure we can get the actual client IP, even if we are behind one or more proxies. But we don't want to blindly trust request headers, either.
Blocked by: #147079
The text was updated successfully, but these errors were encountered: