X-Forwarded-For in Elasticsearch/Kibana Logs

We have Kibana and Elasticsearch behind AVI (Nginx) load-balancers, and that is unfortunately masking the true client IP addresses that are accessing Kibana/Elasticsearch. We are logging XFF headers on all the LB configs, and we have configured our IIS, Exchange, and Apache logs to include the XFF IP's, but how can we also get Elasticsearch and Kibana themselves to log the XFF headers from clients/Beats/etc. that are accessing the cluster through the LB's?

Thanks in advance!


I worked on this for Exchange IIS logs a few years back. Since it isn't a standard field, Elastic doesn't process it. How to add it depends on how you are ingesting the logs. We were using logstash, so it was as simple as adding fields to the grok pattern (yet grok is never simple).

For beats, there is another post that talked about adding a field definition to the module, then forcing filebeat to reload the ingest pipelines.

Both these depend if you have added other optional fields and their order in the log record. You'll want to run the XFF IP's thru geoip too. The other event types will be similar, solving the first will be hardest:-)

Hi Len,

Thanks for the response. I am actually talking about Elasticsearch and Kibana logs themselves. We already have IIS, Exchange, and Apache logs figured out.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.