Security audit log showing login source IP as opensearch instance IP address

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

v2.6.0

Describe the issue:

Security audit log showing login source IP address as opensearch instance IP address instead of true source

When viewing the audit log for authenticated requests the source IP address of the request is not showing as the clients IP address but the IP address of the opensearch node/instance. Can the source IP address of the client be shown? This is for PCI.

What does your cluster setup look like? Are you using a reverse proxy for instance to proxy authentication?

@jamie.stewart As far as I can see in the audit logs the reported IP address belongs to OpenSearch Dashboards.

image

The remote client’s IP address is taken from x-forwarder-for header. As far as I know, the OpenSearch Dashboards doesn’t have the ability to include a custom x-forwarder-for header. In this case, you would need to use a proxy in front of the OpenSearch Dashboards that would include a such header.

Then x-forwarder-for header must be whitelisted in the opensearch_dashboards.yml

opensearch.requestHeadersWhitelist: ["securitytenant","Authorization","x-forwarded-for"]

and xff enabled in the config.yml

config:
  dynamic:
    http:
      xff:
        enabled: true

As the result the audit logs will have an extra field audit_rest_request_headers.x-forwarded-for and audit_request_remote_address will reflect the value of the x-forwarder-for header.

image

You can test this behaviour with the curl command.
i.e.

curl --insecure -u admin:test -H "x-forwarded-for: 192.168.1.12" -X GET "https://localhost:9200"

or ModHeader plugin in the browser.

1 Like

Thanks for the explanation. Is there any plan to include a reverse proxy as an installation option in the future?