How to store iis x-forwarded-for ip with field type IPORHOST

I'm trying to grok these entries

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken X-Forwarded-For
2020-10-23 19:35:15 GET /some/path/here.exe - 443 - ELB-HealthChecker/2.0 - 200 0 0 182 -
2020-10-23 19:35:24 GET / - 443 - Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - 302 0 0 110

If I use something like this %{IPORHOST:iis.access.xforwardedfor} for X-Forwarded-For it fails with below error.

"type"=>"illegal_argument_exception", "reason"=>"'-' is not an IP string literal."

Because is sends - for some requests.

How can i meet my need.
If the value for X-Forwarded-For is '-' I'm ok to simply drop the field.
My end goal is if i see a real IP for X-Forwarded-For i need to store it in a field with correct field type of IPORHOST

You should replace this value by an empty content.

I do not have the exact syntax at hand, but can typically modify the pattern to either match IPORHOST or - (not captured), possibly something like this: (%{IPORHOST:iis.access.xforwardedfor}|-)


That's even better! :wink:

Thanks this worked

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.