Nginx & proxies

I've just setup filebeat for an existing elastic stack primarily to analyze the the access logs from nginx. I used the setup command and it all went ok without any problems. I've encoutered one issue in the index data though, which I'm not sure how it could be fixed.
The site uses several proxies infront of nginx, which means that nginx will write the IPs from the X-Forward-For header into the access log. A line in there therefore basically looks like this:

client_ip, proxy1_ip, proxy2_ip - - [date] "message"

It seems like filebeat only extracts the proxy2_ip address. Is there a way to extract the left most address i.e. the client_ip?
I looked into the nginx module in the filebeat repo and saw that grok extracts the IP using the pattern %{IPORHOST:nginx.access.remote_ip}. I tried that on the tools mentioned in the grok documentation and there it extracted the correct IP, so did I miss something?

Looking at our grok pattern for the nginx access logs it currently supports only 1 IP address. Could you open a feature request on https://github.com/elastic/beats for support of multiple ip adresses? Please share there also some "real" log output as this will make it much easier for us to test it.

Yes I can, although initially it would already be good, to just get the client IP, which ist the first one in the list.

Also for this we probably need the Issue.

As a reference, here is the issue: https://github.com/elastic/beats/issues/4322

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.