I am playing arround with ELK for suricata logs, to see if it is suitable for my employer
I have created some nice dashboards (kibana) so far so good.
But to my surprise there is no suricata.eve field for the "xff" info in the suricata eve.json file!
For http traffic that's the real ip if you are behind a reverse proxy or so. This is an old option in the suricata config.
How can i add this extra field?
see also the list of exported fields for the suricata modiule, there is no mention of xff data
snippet from the eve.json log file:
en","http_user_agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36","xff":"172.25.232.35","http_content_type":"text/html","http_refer":"htt