CloudFlare X-Forwarded-For Real Source IP


I'm new to Elastic and need help to find the real IP of nginx site visitor.

The environment I have is Nginx module installed in Filebeat and reading the data passed via logstash to elasticsearch and viewed in kibana.

The site I have is proxied via Cloudflare, and as the documentation says here:

Is that (nginx.access.remote_ip_list) will read the X-Forwarded-For (which is the real ip of visitor and not cloudflare's IP)

But when checking this field in kibana, it gives Cloudflare's IP.

What shall I do to get the Real visitor IP?


What version of Filebeat are you using?

The documentation also says:

Real source IP is restored to source.ip .

Have you checked the source.ip field in Kibana?


Filebeat 7.8, and yes checked the source.ip and it is sending cloud-flare's IP.

Can you post a sample line from your Nginx log and point out which one is the cloudflare IP and which one is the IP of the visitor in that line? Also please post your complete filebeat.yml and modules.d/nginx.yml (with any sensitive information redacted). Then I can try to reproduce your scenario on my end.




In order to solve this issue, I've changed the nginx config file to list real Ip's instead of cloudflare.

I've used this as a turn around.

Here are the steps used.

The logs in nginx were only listing CD ip's and not both real and CD's Ip's


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.