Hello,
i describe you the scenario.
The system involved are:
- reverse proxy;
- elastic;
- kibana
- suricata
- logstash
Actually i only see, on the kibana dashboard monitoring, traffic incoming with the reverse proxy ip to the servers. So i flagged a field on the reverse proxy to see, in a custom header named “client_ip”, the original source IP.
I need to take this field and print it on the kibana dashboard.
Yesterday i modified che suricata.yaml configuration file, adding the string “custom : [client_ip] in the http section, but this morning i didn’t find anything about it.
Can u help me? I don’t know the exact steps to take to do this…
Thank u very much.