Suricata module - no parsing for XFF field (x forward ip)

sportelh · December 14, 2020, 8:07pm

Hi Guys,

I am playing arround with ELK for suricata logs, to see if it is suitable for my employer
I have created some nice dashboards (kibana) so far so good.

But to my surprise there is no suricata.eve field for the "xff" info in the suricata eve.json file!
For http traffic that's the real ip if you are behind a reverse proxy or so. This is an old option in the suricata config.

How can i add this extra field?

see also the list of exported fields for the suricata modiule, there is no mention of xff data

snippet from the eve.json log file:

en","http_user_agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36","xff":"172.25.232.35","http_content_type":"text/html","http_refer":"htt

mtojek · December 15, 2020, 8:26am

It looks like a miss. Would you mind opening an issue for Beats, so the team can look and prioritize it?

sportelh · December 15, 2020, 11:23am

Hi Marcin,

Thnx for the reply, i am not sure how to open an issue for beats?
how can i do that?

mtojek · December 15, 2020, 12:40pm

Please navigate to this page, select issue type and write a report: https://github.com/elastic/beats/issues/new/choose

sportelh · December 15, 2020, 6:02pm

I issued an enhancement request, ticket nr. #23149

thank you

system · January 12, 2021, 8:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.