When a user logs on to horizon the status of their logon is logged to the apache error.log file. However this log data does not provide anything useful for the configuration of monitoring or security controls because it does not provide the REMOTE_IP.
Since some configurations use ha_proxy and some don't the logging will need to be able to determine if the user is accessing via a proxy or not. There are several issues with this as pointed out in this article: http://esd.io/blog/flask-apps-heroku-real-ip-spoofing.html. I would recommend using a function similar to what is in that post, however to get things working I have used the following code to get the log to display the end-user IP address:
/usr/lib/python2.7/dist-packages/openstack_auth/forms.py
27a28,34
> def get_client_ip(request):
> x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
> if x_forwarded_for:
> ip = x_forwarded_for
> else:
> ip = request.META.get('REMOTE_ADDR')
> return ip
94,95c101,102
< msg = 'Login successful for user "%(username)s".' % \
< {'username': username}
---
> msg = '$(remote_ip)s - Login successful for user "%(username)s".' % \
> {'username': username, 'remote_ip': get_client_ip(self.request) }
98,99c105,106
< msg = 'Login failed for user "%(username)s".' % \
< {'username': username}
---
> msg = '%(remote_ip)s - Login failed for user "%(username)s".' % \
> {'username': username, 'remote_ip': get_client_ip(self.request) }
It's defiantly not the best answer, in fact it may not even be fully functional :), but something is needed to be able to monitor invalid attempts; unless something in django can be used to have some logic (beyond locking accounts) where it is able to send a user to a sink hole or something based on # of exceptions per session or something. But that's beyond the scope of this request :)
May have interpreted it wrong, but this seems more like a feature request? Marked as wishlist, for now :)