Migrating pipelines to ECS


I am migrating my own pipeline according to the common scheme for apache events using as example the one provided by the apache module in filebeat and the ESC documentation.

in these, the source address of the requests is stored in the source.ip field

However, apache when it is behind a proxy logs 2 different ips.

What is the correct way to store these fields using ECS?

Is correct to use client.ip for the user's ip and
source.ip for the proxy in this case ?

Other option is to store a list of ips in source.ip but i'm not sure if it is the best approach

Thanks in advance,

You could use the forwarded_ip field? See https://www.elastic.co/guide/en/ecs/1.0/ecs-network.html


Yes! it is a good option!
Thanks for pointing me out,


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.