Migrating pipelines to ECS

javierE · July 3, 2019, 3:04pm

Hello,

I am migrating my own pipeline according to the common scheme for apache events using as example the one provided by the apache module in filebeat and the ESC documentation.

in these, the source address of the requests is stored in the source.ip field

However, apache when it is behind a proxy logs 2 different ips.

What is the correct way to store these fields using ECS?

Is correct to use client.ip for the user's ip and
source.ip for the proxy in this case ?

Other option is to store a list of ips in source.ip but i'm not sure if it is the best approach

Thanks in advance,
Javier.

spinscale · July 4, 2019, 8:23am

You could use the forwarded_ip field? See https://www.elastic.co/guide/en/ecs/1.0/ecs-network.html

--Alex

javierE · July 5, 2019, 2:19pm

Yes! it is a good option!
Thanks for pointing me out,

Regards
Javier.

system · August 2, 2019, 2:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.