diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
index b527b8fca2..7240f51cc1 100644
--- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java
+++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -228,7 +228,6 @@ public boolean authenticate(final SecurityRequestChannel request) {
             UserSubject subject = new UserSubjectImpl(threadPool, superuser);
             threadContext.putPersistent(ConfigConstants.OPENDISTRO_SECURITY_AUTHENTICATED_USER, subject);
             threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, superuser);
-            auditLog.logSucceededLogin(sslPrincipal, true, null, request);
             return true;
         }
 
@@ -393,9 +392,12 @@ public boolean authenticate(final SecurityRequestChannel request) {
             final User impersonatedUser = impersonate(request, authenticatedUser);
             final User effectiveUser = impersonatedUser == null ? authenticatedUser : impersonatedUser;
             threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, effectiveUser);
+            if (effectiveUser != authenticatedUser) {
+                threadPool.getThreadContext()
+                    .putTransient(ConfigConstants.OPENDISTRO_SECURITY_IMPERSONATION_INITIATING_USER, authenticatedUser.getName());
+            }
             UserSubject subject = new UserSubjectImpl(threadPool, effectiveUser);
             threadPool.getThreadContext().putPersistent(ConfigConstants.OPENDISTRO_SECURITY_AUTHENTICATED_USER, subject);
-            auditLog.logSucceededLogin(effectiveUser.getName(), false, authenticatedUser.getName(), request);
         } else {
             if (isDebugEnabled) {
                 log.debug("User still not authenticated after checking {} auth domains", restAuthDomains.size());
@@ -426,7 +428,6 @@ public boolean authenticate(final SecurityRequestChannel request) {
 
                 threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
                 threadPool.getThreadContext().putPersistent(ConfigConstants.OPENDISTRO_SECURITY_AUTHENTICATED_USER, subject);
-                auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request);
                 if (isDebugEnabled) {
                     log.debug("Anonymous User is authenticated");
                 }
diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
index 12dd68d1f8..da4e0d2f59 100644
--- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
+++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
@@ -72,6 +72,7 @@
 
 import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
 import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
+import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_IMPERSONATION_INITIATING_USER;
 
 public class SecurityRestFilter {
 
@@ -156,6 +157,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
 
             final SecurityRequestChannel requestChannel = SecurityRequestFactory.from(request, channel);
 
+            String intiatingUser = threadContext.getTransient(OPENDISTRO_SECURITY_IMPERSONATION_INITIATING_USER);
             // Authenticate request
             if (!NettyAttribute.popFrom(request, Netty4HttpRequestHeaderVerifier.IS_AUTHENTICATED).orElse(false)) {
                 // we aren't authenticated so we should skip this step
@@ -170,6 +172,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
             final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
             if (userIsSuperAdmin(user, adminDNs)) {
                 // Super admins are always authorized
+                auditLog.logSucceededLogin(user.getName(), true, intiatingUser, requestChannel);
                 delegate.handleRequest(request, channel, client);
                 return;
             }
@@ -189,6 +192,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
             }
 
             // Caller was authorized, forward the request to the handler
+            auditLog.logSucceededLogin(user == null ? null : user.getName(), false, intiatingUser, requestChannel);
             delegate.handleRequest(request, channel, client);
         }
     }
diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
index b2a9387c9a..9aa6ec35fc 100644
--- a/src/main/java/org/opensearch/security/support/ConfigConstants.java
+++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -120,6 +120,9 @@ public class ConfigConstants {
 
     public static final String OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT = OPENDISTRO_SECURITY_CONFIG_PREFIX + "user_info";
 
+    public static final String OPENDISTRO_SECURITY_IMPERSONATION_INITIATING_USER = OPENDISTRO_SECURITY_CONFIG_PREFIX
+        + "impersonation_initiating_user";
+
     public static final String OPENDISTRO_SECURITY_INJECTED_USER = "injected_user";
     public static final String OPENDISTRO_SECURITY_INJECTED_USER_HEADER = "injected_user_header";