Suricata module - no parsing for XFF field (x forward ip)

sportelh · December 14, 2020, 8:07pm

Hi Guys,

I am playing arround with ELK for suricata logs, to see if it is suitable for my employer
I have created some nice dashboards (kibana) so far so good.

But to my surprise there is no suricata.eve field for the "xff" info in the suricata eve.json file!
For http traffic that's the real ip if you are behind a reverse proxy or so. This is an old option in the suricata config.

How can i add this extra field?

see also the list of exported fields for the suricata modiule, there is no mention of xff data

snippet from the eve.json log file:

en","http_user_agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36","xff":"172.25.232.35","http_content_type":"text/html","http_refer":"htt

mtojek · December 15, 2020, 8:26am

It looks like a miss. Would you mind opening an issue for Beats, so the team can look and prioritize it?

sportelh · December 15, 2020, 11:23am

Hi Marcin,

Thnx for the reply, i am not sure how to open an issue for beats?
how can i do that?

mtojek · December 15, 2020, 12:40pm

Please navigate to this page, select issue type and write a report: https://github.com/elastic/beats/issues/new/choose

sportelh · December 15, 2020, 6:02pm

I issued an enhancement request, ticket nr. #23149

thank you

system · January 12, 2021, 8:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat pipping Suricatas eve.json issues Beats filebeat	2	1442	April 1, 2020
Filebeat suricata Beats beats-module , filebeat	10	899	June 28, 2022
Filebeat doesn't catchup with suricata eve.json Beats filebeat	7	1886	September 9, 2021
I didnt get suricata eve.json Kibana	5	1573	August 29, 2019
No data in suricata dashboard Beats filebeat	7	515	February 20, 2024

Suricata module - no parsing for XFF field (x forward ip)

Related topics