How to store iis x-forwarded-for ip with field type IPORHOST

Thanura_Kannangara · October 24, 2020, 12:42am

I'm trying to grok these entries

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken X-Forwarded-For
2020-10-23 19:35:15 10.10.10.73 GET /some/path/here.exe - 443 - 10.10.10.124 ELB-HealthChecker/2.0 - 200 0 0 182 -
2020-10-23 19:35:24 10.10.10.73 GET / - 443 - 10.10.10.11 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:81.0)+Gecko/20100101+Firefox/81.0 - 302 0 0 110 8.8.8.9

If I use something like this %{IPORHOST:iis.access.xforwardedfor} for X-Forwarded-For it fails with below error.

"type"=>"illegal_argument_exception", "reason"=>"'-' is not an IP string literal."

Because is sends - for some requests.

How can i meet my need.
If the value for X-Forwarded-For is '-' I'm ok to simply drop the field.
My end goal is if i see a real IP for X-Forwarded-For i need to store it in a field with correct field type of IPORHOST

dadoonet · October 24, 2020, 1:34am

You should replace this value by an empty content.

Christian_Dahlqvist · October 24, 2020, 7:41am

I do not have the exact syntax at hand, but can typically modify the pattern to either match IPORHOST or - (not captured), possibly something like this: (%{IPORHOST:iis.access.xforwardedfor}|-)

dadoonet · October 24, 2020, 1:04pm

That's even better!

Thanura_Kannangara · October 26, 2020, 6:16pm

Thanks this worked

system · November 23, 2020, 6:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.