I am migrating my own pipeline according to the common scheme for apache events using as example the one provided by the apache module in filebeat and the ESC documentation.
in these, the source address of the requests is stored in the source.ip field
However, apache when it is behind a proxy logs 2 different ips.
What is the correct way to store these fields using ECS?
Is correct to use client.ip for the user's ip and
source.ip for the proxy in this case ?
Other option is to store a list of ips in source.ip but i'm not sure if it is the best approach
Thanks in advance,