Security audit log showing login source IP address as opensearch instance IP address instead of true source
When viewing the audit log for authenticated requests the source IP address of the request is not showing as the clients IP address but the IP address of the opensearch node/instance. Can the source IP address of the client be shown? This is for PCI.
The remote client’s IP address is taken from x-forwarder-for header. As far as I know, the OpenSearch Dashboards doesn’t have the ability to include a custom x-forwarder-for header. In this case, you would need to use a proxy in front of the OpenSearch Dashboards that would include a such header.
Then x-forwarder-for header must be whitelisted in the opensearch_dashboards.yml
As the result the audit logs will have an extra field audit_rest_request_headers.x-forwarded-for and audit_request_remote_address will reflect the value of the x-forwarder-for header.
You can test this behaviour with the curl command.
i.e.
curl --insecure -u admin:test -H "x-forwarded-for: 192.168.1.12" -X GET "https://localhost:9200"