diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6897d4038f..28a369c548 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -37,6 +37,7 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re
 - [#7280](https://github.com/thanos-io/thanos/pull/7281): Adding User-Agent to request logs
 - [#7219](https://github.com/thanos-io/thanos/pull/7219): Receive: add `--remote-write.client-tls-secure` and `--remote-write.client-tls-skip-verify` flags to stop relying on grpc server config to determine grpc client secure/skipVerify.
 - [#7297](https://github.com/thanos-io/thanos/pull/7297): *: mark as not queryable if status is not ready
+- [#7302](https://github.com/thanos-io/thanos/pull/7303) Considering the `X-Forwarded-For` header for the remote address in the logs.
 
 ### Changed
 
diff --git a/pkg/logging/http.go b/pkg/logging/http.go
index d7d8b29962..229bcf0799 100644
--- a/pkg/logging/http.go
+++ b/pkg/logging/http.go
@@ -37,13 +37,19 @@ func (m *HTTPServerMiddleware) preCall(name string, start time.Time, r *http.Req
 
 func (m *HTTPServerMiddleware) postCall(name string, start time.Time, wrapped *httputil.ResponseWriterWithStatus, r *http.Request) {
 	status := wrapped.Status()
+
+	remoteAddr := r.Header.Get("X-Forwarded-For")
+	if remoteAddr == "" {
+		remoteAddr = r.RemoteAddr
+	}
+
 	logger := log.With(m.logger,
 		"http.method", fmt.Sprintf("%s %s", r.Method, r.URL),
 		"http.request_id", r.Header.Get("X-Request-ID"),
 		"http.user_agent", r.Header.Get("User-Agent"),
 		"http.status_code", fmt.Sprintf("%d", status),
 		"http.time_ms", fmt.Sprintf("%v", durationToMilliseconds(time.Since(start))),
-		"http.remote_addr", r.RemoteAddr,
+		"http.remote_addr", remoteAddr,
 		"thanos.method_name", name)
 
 	logger = m.opts.filterLog(logger)