8 Replies Latest reply on Oct 27, 2019 6:17 AM by adharkrader

    Web Console Audit Log - showing actual login IP behind load balancer?

    ahbrook

      Hey everyone!

       

      We're a new customer to the Orion platform, and we are setting up our Test/lab server ahead of rolling out production. I'm trying my hardest to take care of little things while other team members prep for our cutover.

       

      I was just looking at the audit log of logins to our environment, and noticed that it shows 3 logins for myself over the last 24 hours. All three are listed as coming from the IP Addresses of our NetScaler load balancer, not the originating IP address in question.I know this is not accurate because the load balancer is on a different subnet than my work PC, and I logged in once from home (which definitely shouldn't be showing a private IP).

       

      Is there a way to get Orion to display the real IP address?

       

      We've already reconfigured our NetScaler to pass X-Forwarded-For in our request headers, and I can see that in my IIS logs after adding that custom attribute. However, I can't seem to find any information on how to get Orion to notice this.

       

      I should note that we use our NetScaler heavily, and I'm also worried about this being an issue with monitoring our websites.

        • Re: Web Console Audit Log - showing actual login IP behind load balancer?
          serena

          ahbrook  wrote:

           

          Hey everyone!

           

          We're a new customer to the Orion platform, and we are setting up our Test/lab server ahead of rolling out production. I'm trying my hardest to take care of little things while other team members prep for our cutover.

           

          I was just looking at the audit log of logins to our environment, and noticed that it shows 3 logins for myself over the last 24 hours. All three are listed as coming from the IP Addresses of our NetScaler load balancer, not the originating IP address in question.I know this is not accurate because the load balancer is on a different subnet than my work PC, and I logged in once from home (which definitely shouldn't be showing a private IP).

           

          Is there a way to get Orion to display the real IP address?

           

          We've already reconfigured our NetScaler to pass X-Forwarded-For in our request headers, and I can see that in my IIS logs after adding that custom attribute. However, I can't seem to find any information on how to get Orion to notice this.

           

          I should note that we use our NetScaler heavily, and I'm also worried about this being an issue with monitoring our websites.

          Hi Tony,

          Are you looking at the IIS logs via the AppInsight for IIS IIS Event Log Monitor component?

            • Re: Web Console Audit Log - showing actual login IP behind load balancer?
              ahbrook

              Not as of yet. I was looking at the audit logs for Solarwinds itself. In this case, on the Orion Summary Home, "Last 10 Audit Events."

               

               

              The IPs are the internal addresses of our NetScaler VIP, and do not reflect the public IP or even the internal IP of our admins.

                • Re: Web Console Audit Log - showing actual login IP behind load balancer?
                  serena

                  ahbrook  wrote:

                   

                  Not as of yet. I was looking at the audit logs for Solarwinds itself. In this case, on the Orion Summary Home, "Last 10 Audit Events."

                   

                   

                  The IPs are the internal addresses of our NetScaler VIP, and do not reflect the public IP or even the internal IP of our admins.

                  When you added the device to be monitored did you use the public IP address? How is your system configured?

                    • Re: Web Console Audit Log - showing actual login IP behind load balancer?
                      ahbrook

                      This isn't a device. This is the Orion Web Console itself. We have the DNS for our Orion install set to forward to a NetScaler load balancer VIP, and that is then passing traffic onto the IIS instance of Orion.

                       

                      In Orion's IIS, we have enabled the "X-Forwarded-For" request header logging, so I can see the correct IP Address in the IIS logs. But Orion doesn't seem to see this.

                        • Re: Web Console Audit Log - showing actual login IP behind load balancer?
                          serena

                          ahbrook  wrote:

                           

                          This isn't a device. This is the Orion Web Console itself. We have the DNS for our Orion install set to forward to a NetScaler load balancer VIP, and that is then passing traffic onto the IIS instance of Orion.

                           

                          In Orion's IIS, we have enabled the "X-Forwarded-For" request header logging, so I can see the correct IP Address in the IIS logs. But Orion doesn't seem to see this.

                          ah thanks Tony, that makes sense. Unfortunately, Orion won't be able to see your custom header in this case to capture the forwarded field in the Orion audit logs. However, if you're seeing this via the IIS logs, I would assume that if you're monitoring the IIS site via AppInsight for IIS, you would possibly see it via the real time event log viewer. Have you tried monitoring via AppInsight for IIS and checking the log viewer?

                           

                            • Re: Web Console Audit Log - showing actual login IP behind load balancer?
                              ahbrook

                              Ahh, okay. Yes, we do have AppInsight running on the Orion Web console. I'm personally having trouble getting the real time log viewer to show any information for IIS itself, but that is likely a configuration issue on my end.

                               

                              That said, knowing that I can't configure Solarwinds to report the X-Forwarded-For, and instead need to rely on the log viewers for accurate information on source IP, is good to know. The audit logs can tell us who logged in, and then we can drill down to figure out where if there is an issue.

                               

                              Thank you so much for your help on this!