Suricata module - no parsing for XFF field (x forward ip)

Hi Guys,

I am playing arround with ELK for suricata logs, to see if it is suitable for my employer
I have created some nice dashboards (kibana) so far so good.

But to my surprise there is no suricata.eve field for the "xff" info in the suricata eve.json file!
For http traffic that's the real ip if you are behind a reverse proxy or so. This is an old option in the suricata config.

How can i add this extra field?

see also the list of exported fields for the suricata modiule, there is no mention of xff data

snippet from the eve.json log file:

en","http_user_agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36","xff":"","http_content_type":"text/html","http_refer":"htt

It looks like a miss. Would you mind opening an issue for Beats, so the team can look and prioritize it?

Hi Marcin,

Thnx for the reply, i am not sure how to open an issue for beats?
how can i do that?

Please navigate to this page, select issue type and write a report:

I issued an enhancement request, ticket nr. #23149

thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.