Web Console Audit Log - showing actual login IP behind load balancer?

ahbrook  wrote: Hey everyone! We're a new customer to the Orion platform, and we are setting up our Test/lab server ahead of rolling out production. I'm trying my hardest to take care of little things while other team members prep for our cutover. I was just looking at the audit log of logins to our environment, and noticed that it shows 3 logins for myself over the last 24 hours. All three are listed as coming from the IP Addresses of our NetScaler load balancer, not the originating IP address in question.I know this is not accurate because the load balancer is on a different subnet than my work PC, and I logged in once from home (which definitely shouldn't be showing a private IP). Is there a way to get Orion to display the real IP address? We've already reconfigured our NetScaler to pass X-Forwarded-For in our request headers, and I can see that in my IIS logs after adding that custom attribute. However, I can't seem to find any information on how to get Orion to notice this. I should note that we use our NetScaler heavily, and I'm also worried about this being an issue with monitoring our websites.

Hi Tony,

Are you looking at the IIS logs via the AppInsight for IIS IIS Event Log Monitor component?

Not as of yet. I was looking at the audit logs for Solarwinds itself. In this case, on the Orion Summary Home, "Last 10 Audit Events."

The IPs are the internal addresses of our NetScaler VIP, and do not reflect the public IP or even the internal IP of our admins.

ahbrook  wrote: Not as of yet. I was looking at the audit logs for Solarwinds itself. In this case, on the Orion Summary Home, "Last 10 Audit Events." The IPs are the internal addresses of our NetScaler VIP, and do not reflect the public IP or even the internal IP of our admins.

When you added the device to be monitored did you use the public IP address? How is your system configured?

This isn't a device. This is the Orion Web Console itself. We have the DNS for our Orion install set to forward to a NetScaler load balancer VIP, and that is then passing traffic onto the IIS instance of Orion.

In Orion's IIS, we have enabled the "X-Forwarded-For" request header logging, so I can see the correct IP Address in the IIS logs. But Orion doesn't seem to see this.

ahbrook  wrote: This isn't a device. This is the Orion Web Console itself. We have the DNS for our Orion install set to forward to a NetScaler load balancer VIP, and that is then passing traffic onto the IIS instance of Orion. In Orion's IIS, we have enabled the "X-Forwarded-For" request header logging, so I can see the correct IP Address in the IIS logs. But Orion doesn't seem to see this.

ah thanks Tony, that makes sense. Unfortunately, Orion won't be able to see your custom header in this case to capture the forwarded field in the Orion audit logs. However, if you're seeing this via the IIS logs, I would assume that if you're monitoring the IIS site via AppInsight for IIS, you would possibly see it via the real time event log viewer. Have you tried monitoring via AppInsight for IIS and checking the log viewer?

Ahh, okay. Yes, we do have AppInsight running on the Orion Web console. I'm personally having trouble getting the real time log viewer to show any information for IIS itself, but that is likely a configuration issue on my end.

That said, knowing that I can't configure Solarwinds to report the X-Forwarded-For, and instead need to rely on the log viewers for accurate information on source IP, is good to know. The audit logs can tell us who logged in, and then we can drill down to figure out where if there is an issue.

Thank you so much for your help on this!

ahbrook  wrote: Ahh, okay. Yes, we do have AppInsight running on the Orion Web console. I'm personally having trouble getting the real time log viewer to show any information for IIS itself, but that is likely a configuration issue on my end. That said, knowing that I can't configure Solarwinds to report the X-Forwarded-For, and instead need to rely on the log viewers for accurate information on source IP, is good to know. The audit logs can tell us who logged in, and then we can drill down to figure out where if there is an issue. Thank you so much for your help on this!

No problem, let me know how it goes with your set up. If there's any feedback on how we can improve for your use cases please let us know!

Whenever X-Forwarded-For is present, that's what should be used in logs.  That should be changed in SolarWinds too.