Eric CapuanoPro tip for network & system admins... If you have a load balancer set up in front of your web-facing servers (like OWA, etc), please consider enabling the X-Forwarded-For header to make log analysis easier during the inevitable IR. This header captures the actual source IP of the request and passes it to the backend server, despite the traffic appearing to come from the load balancer's IP. #infosec #DFIR
Gary Pullis@eric_capuano Reminder that this has to be configured in 3 places: Load balancer, web server, log aggregation tool (SIEM).
And, the header is not always called X-Forwarded-For. Depends on the load balancer setup. Then, the web server needs to be configured to log the header, and you SIEM needs to understand how to ingest the header.
You want to log both IPs: (1) the X-Forwarded-For IP of the "real client", and (2), the IP that accessed the web server directly. The value of collecting the "direct IP" is that it will tell you if the client connected via your load balancer or if they bypassed the load balancer. If you skip the "direct IP" then your logs will have no IP address at all when someone bypasses your load balancer, and that's a real bummer.
But, yeah, holy cow, the sadness of not having real client IPs in your logs is intense.