Migrating pipelines to ECS

javierE · July 3, 2019, 3:04pm

Hello,

I am migrating my own pipeline according to the common scheme for apache events using as example the one provided by the apache module in filebeat and the ESC documentation.

in these, the source address of the requests is stored in the source.ip field

However, apache when it is behind a proxy logs 2 different ips.

What is the correct way to store these fields using ECS?

Is correct to use client.ip for the user's ip and
source.ip for the proxy in this case ?

Other option is to store a list of ips in source.ip but i'm not sure if it is the best approach

Thanks in advance,
Javier.

spinscale · July 4, 2019, 8:23am

You could use the forwarded_ip field? See https://www.elastic.co/guide/en/ecs/1.0/ecs-network.html

--Alex

javierE · July 5, 2019, 2:19pm

Yes! it is a good option!
Thanks for pointing me out,

Regards
Javier.

system · August 2, 2019, 2:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ECS - Squid proxy log normalization Elasticsearch ecs-elastic-common-schema	4	1690	August 14, 2019
Support for source_ip_fieldname in all network input plugins Logstash	1	836	January 18, 2019
Elastic Common Schema and Logstash and Ingest node processing tagging Logstash ecs-elastic-common-schema	3	458	November 29, 2019
Mapping Apache HTTPD log output to ECS Schema? Elasticsearch ecs-elastic-common-schema	3	65	July 14, 2024
ECS mappings for asset tracking and port scanning output Elasticsearch ecs-elastic-common-schema	2	448	December 21, 2020

Migrating pipelines to ECS

Related topics