Unable to get X-Forwarded-For to display

computerbart · November 12, 2020, 9:21am

Hi All,
New user here. I set out to try Elastic Stack for some more visibility/search-ability for our IIS logs. Unfortunately I have bumped into something I cannot get to work.

I set up a 3 node Elastic cluster + Kibana and got filebeat to send our (rather standard set) of iis logs into Elastic, all visible in Kibana. Nice!
However, our IIS servers are fronted by a proxy. The X-Forwarded-For header is added to the end of the log entry in IIS.
I have found about a dozen links that describe this situation. Most are for version 6, some for early version 7 which seems different to my installation of version 7.9.3. I have changed the pipeline.yml file in the filebeat iis module and send the pipeline to Elastic. (Even tried to delete the whole index of filebeat from Elastic before doing this) but no dice.
At this moment I probably lack the understanding of how the software shuffles the data around and have not been able to get the X-Forwarded data to show in kibana using the dozen or so links I found.

Can anyone describe all the steps I need to take to get this to show in Kibana for the version 7.9.3?

Thanx a bunch in advance!
Grts, Bart

warkolm · November 17, 2020, 11:23pm

Are you using the IIS module for this?

computerbart · November 18, 2020, 6:07am

Yes I do. And the 'standard' part is landing in Elastic as expected.

warkolm · November 18, 2020, 6:10am

Can you post an example event from Elasticsearch so we can see what it looks like?

computerbart · November 18, 2020, 7:38am

Yes sure, thanks for looking! (I have redacted a few entries for some anonymity)

{ "_index": "filebeat-7.9.3-2020.11.11-000001", "_type": "_doc", "_id": "tXlG2nUBmOZpro34u1Ee", "_version": 1, "_score": null, "_source": { "agent": { "hostname": "IS01NNHHMV", "name": "IS01NNHHMV", "id": "0efd101c-e768-4abd-835f-ebcf39b4d005", "type": "filebeat", "ephemeral_id": "31fdefbf-b585-4501-a169-95695f2e0054", "version": "7.9.3" }, "temp": {}, "log": { "file": { "path": "D:\IISLogs\W3SVC5\u_ex201118_x.log" }, "offset": 26308409 }, "destination": { "address": "10.10.1.220", "port": 443, "ip": "10.10.1.220" }, "source": { "address": "10.10.1.15", "ip": "10.10.1.15" }, "fileset": { "name": "access" }, "url": { "path": "/occasions.aspx", "query": "aid=3878990&herkomst=gpl" }, "input": { "type": "log" }, "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, "@timestamp": "2020-11-18T07:34:26.000Z", "ecs": { "version": "1.5.0" }, "related": { "ip": [ "10.10.1.15", "10.10.1.220" ] }, "service": { "type": "iis" }, "host": { "hostname": "IS01NNHHMV", "os": { "build": "17763.1397", "kernel": "10.0.17763.1397 (WinBuild.160101.0800)", "name": "Windows Server 2019 Standard", "family": "windows", "version": "10.0", "platform": "windows" }, "ip": [ "2a01:6a40:1:17::210", "fe80::457c:2cb4:8df:e4c", "10.10.1.208", "10.10.1.210", "10.10.1.212", "10.10.1.214", "10.10.1.216", "10.10.1.220" ], "name": "IS01NNHHMV", "id": "1d2d74d3-8136-4c78-a774-9b2c0f24264b", "mac": [ "00:50:56:bd:a6:4a" ], "architecture": "x86_64" }, "http": { "request": { "referrer": , "method": "GET" }, "response": { "status_code": 200 } }, "event": { "duration": 16000000, "created": "2020-11-18T07:34:28.867Z", "kind": "event", "module": "iis", "category": [ "web", "network" ], "type": [ "connection" ], "dataset": "iis.access", "outcome": "success" }, "user_agent": { "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1", "os": { "name": "iOS", "version": "14.0.1", "full": "iOS 14.0.1" }, "name": "Mobile Safari", "device": { "name": "iPhone" }, "version": "14.0" } }, "fields": { "@timestamp": [ "2020-11-18T07:34:26.000Z" ], "event.created": [ "2020-11-18T07:34:28.867Z" ], "suricata.eve.timestamp": [ "2020-11-18T07:34:26.000Z" ] }, "sort": [ 1605684866000 ] }{ "_index": "filebeat-7.9.3-2020.11.11-000001", "_type": "_doc", "_id": "tXlG2nUBmOZpro34u1Ee", "_version": 1, "_score": null, "_source": { "agent": { "hostname": "IS01NNHHMV", "name": "IS01NNHHMV", "id": "0efd101c-e768-4abd-835f-ebcf39b4d005", "type": "filebeat", "ephemeral_id": "31fdefbf-b585-4501-a169-95695f2e0054", "version": "7.9.3" }, "temp": {}, "log": { "file": { "path": "D:\IISLogs\W3SVC5\u_ex201118_x.log" }, "offset": 26308409 }, "destination": { "address": "10.10.1.220", "port": 443, "ip": "10.10.1.220" }, "source": { "address": "10.10.1.15", "ip": "10.10.1.15" }, "fileset": { "name": "access" }, "url": { "path": "/occasions.aspx", "query": "aid=3878990&herkomst=gpl" }, "input": { "type": "log" }, "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, "@timestamp": "2020-11-18T07:34:26.000Z", "ecs": { "version": "1.5.0" }, "related": { "ip": [ "10.10.1.15", "10.10.1.220" ] }, "service": { "type": "iis" }, "host": { "hostname": "IS01NNHHMV", "os": { "build": "17763.1397", "kernel": "10.0.17763.1397 (WinBuild.160101.0800)", "name": "Windows Server 2019 Standard", "family": "windows", "version": "10.0", "platform": "windows" }, "ip": [ "2a01:6a40:1:17::210", "fe80::457c:2cb4:8df:e4c", "10.10.1.208", "10.10.1.210", "10.10.1.212", "10.10.1.214", "10.10.1.216", "10.10.1.220" ], "name": "IS01NNHHMV", "id": "1d2d74d3-8136-4c78-a774-9b2c0f24264b", "mac": [ "00:50:56:bd:a6:4a" ], "architecture": "x86_64" }, "http": { "request": { "referrer": , "method": "GET" }, "response": { "status_code": 200 } }, "event": { "duration": 16000000, "created": "2020-11-18T07:34:28.867Z", "kind": "event", "module": "iis", "category": [ "web", "network" ], "type": [ "connection" ], "dataset": "iis.access", "outcome": "success" }, "user_agent": { "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1", "os": { "name": "iOS", "version": "14.0.1", "full": "iOS 14.0.1" }, "name": "Mobile Safari", "device": { "name": "iPhone" }, "version": "14.0" } }, "fields": { "@timestamp": [ "2020-11-18T07:34:26.000Z" ], "event.created": [ "2020-11-18T07:34:28.867Z" ], "suricata.eve.timestamp": [ "2020-11-18T07:34:26.000Z" ] }, "sort": [ 1605684866000 ] }{ "_index": "filebeat-7.9.3-2020.11.11-000001", "_type": "_doc", "_id": "tXlG2nUBmOZpro34u1Ee", "_version": 1, "_score": null, "_source": { "agent": { "hostname": "IS01NNHHMV", "name": "IS01NNHHMV", "id": "0efd101c-e768-4abd-835f-ebcf39b4d005", "type": "filebeat", "ephemeral_id": "31fdefbf-b585-4501-a169-95695f2e0054", "version": "7.9.3" }, "temp": {}, "log": { "file": { "path": "D:\IISLogs\W3SVC5\u_ex201118_x.log" }, "offset": 26308409 }, "destination": { "address": "10.10.1.220", "port": 443, "ip": "10.10.1.220" }, "source": { "address": "10.10.1.15", "ip": "10.10.1.15" }, "fileset": { "name": "access" }, "url": { "path": "/occasions.aspx", "query": "aid=3878990&herkomst=gpl" }, "input": { "type": "log" }, "iis": { "access": { "sub_status": 0, "win32_status": 0 } }, "@timestamp": "2020-11-18T07:34:26.000Z", "ecs": { "version": "1.5.0" }, "related": { "ip": [ "10.10.1.15", "10.10.1.220" ] }, "service": { "type": "iis" }, "host": { "hostname": "IS01NNHHMV", "os": { "build": "17763.1397", "kernel": "10.0.17763.1397 (WinBuild.160101.0800)", "name": "Windows Server 2019 Standard", "family": "windows", "version": "10.0", "platform": "windows" }, "ip": [ "2a01:6a40:1:17::210", "fe80::457c:2cb4:8df:e4c", "10.10.1.208", "10.10.1.210", "10.10.1.212", "10.10.1.214", "10.10.1.216", "10.10.1.220" ], "name": "IS01NNHHMV", "id": "1d2d74d3-8136-4c78-a774-9b2c0f24264b", "mac": [ "00:50:56:bd:a6:4a" ], "architecture": "x86_64" }, "http": { "request": { "referrer": , "method": "GET" }, "response": { "status_code": 200 } }, "event": { "duration": 16000000, "created": "2020-11-18T07:34:28.867Z", "kind": "event", "module": "iis", "category": [ "web", "network" ], "type": [ "connection" ], "dataset": "iis.access", "outcome": "success" }, "user_agent": { "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1", "os": { "name": "iOS", "version": "14.0.1", "full": "iOS 14.0.1" }, "name": "Mobile Safari", "device": { "name": "iPhone" }, "version": "14.0" } }, "fields": { "@timestamp": [ "2020-11-18T07:34:26.000Z" ], "event.created": [ "2020-11-18T07:34:28.867Z" ], "suricata.eve.timestamp": [ "2020-11-18T07:34:26.000Z" ] }, "sort": [ 1605684866000 ] }

{
"_index": "filebeat-7.9.3-2020.11.11-000001",
"_type": "_doc",
"_id": "tXlG2xxxxxxpro34u1Ee",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"hostname": "IS01NNHHMV",
"name": "IS01NNHHMV",
"id": "0efd101c-e768-xxxx-xxxx-ebcf39b4d005",
"type": "filebeat",
"ephemeral_id": "31fdefbf-b585-4501-a169-95695f2e0054",
"version": "7.9.3"
},
"temp": {},
"log": {
"file": {
"path": "D:\IISLogs\W3SVC5\u_ex201118_x.log"
},
"offset": 26308409
},
"destination": {
"address": "10.10.1.220",
"port": 443,
"ip": "10.10.1.220"
},
"source": {
"address": "10.10.1.15",
"ip": "10.10.1.15"
},
"fileset": {
"name": "access"
},
"url": {
"path": "/occasions.aspx",
"query": "aid=3878990&herkomst=gpl"
},
"input": {
"type": "log"
},
"iis": {
"access": {
"sub_status": 0,
"win32_status": 0
}
},
"@timestamp": "2020-11-18T07:34:26.000Z",
"ecs": {
"version": "1.5.0"
},
"related": {
"ip": [
"10.10.1.15",
"10.10.1.220"
]
},
"service": {
"type": "iis"
},
"host": {
"hostname": "IS01NNHHMV",
"os": {
"build": "17763.1397",
"kernel": "10.0.17763.1397 (WinBuild.160101.0800)",
"name": "Windows Server 2019 Standard",
"family": "windows",
"version": "10.0",
"platform": "windows"
},
"ip": [
"2a01:xxx:xx::210",
"fe80::457c:2cb4:8df:e4c",
"10.10.1.208",
"10.10.1.210",
"10.10.1.212",
"10.10.1.214",
"10.10.1.216",
"10.10.1.220"
],
"name": "IS01NNHHMV",
"id": "1d2d74d3-xxxxxxx0f24264b",
"mac": [
"00:50:xxxxxx:4a"
],
"architecture": "x86_64"
},
"http": {
"request": {
"referrer": , "method": "GET" }, "response": { "status_code": 200 } }, "event": { "duration": 16000000, "created": "2020-11-18T07:34:28.867Z", "kind": "event", "module": "iis", "category": [ "web", "network" ], "type": [ "connection" ], "dataset": "iis.access", "outcome": "success" }, "user_agent": { "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1", "os": { "name": "iOS", "version": "14.0.1", "full": "iOS 14.0.1" }, "name": "Mobile Safari", "device": { "name": "iPhone" }, "version": "14.0" } }, "fields": { "@timestamp": [ "2020-11-18T07:34:26.000Z" ], "event.created": [ "2020-11-18T07:34:28.867Z" ], "suricata.eve.timestamp": [ "2020-11-18T07:34:26.000Z" ] }, "sort": [ 1605684866000 ] }

warkolm · November 18, 2020, 8:58pm

Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you

computerbart · November 19, 2020, 9:24am

So sorry about this. I tried using the button and backtick but the forum website does not agree with my input. I am quite a newbee in this field. I will research further and try to post the log again later on.

system · December 17, 2020, 9:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.