Change grok pattern to fetch correct IP from X-Forwarded-For list #4351
Conversation
|
Jenkins standing by to test this. If you aren't a maintainer, you can ignore this comment. Someone with commit access, please review this and clear it for Jenkins to run. |
1 similar comment
|
Jenkins standing by to test this. If you aren't a maintainer, you can ignore this comment. Someone with commit access, please review this and clear it for Jenkins to run. |
|
jenkins, test it |
|
LGTM |
|
LGTM. Could you add a changelog entry? I would put it under "Added" as this is not really a bugfix but a new feature. |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
I added the change to the changelog as requested. |
|
@sepal Can you add a test case ( |
|
Yes I can, I'll look into that tomorrow or on thursday. |
|
jenkins, test it |
tsg
added
needs_backport
…astic#4351) * Change grok pattern to fetch correct IP from X-Forwarded-For list. * Document change to the nginx module in the changelog. * Add tests for nginx access log. (cherry picked from commit b6194b4)
) * Change grok pattern to fetch correct IP from X-Forwarded-For list. * Document change to the nginx module in the changelog. * Add tests for nginx access log. (cherry picked from commit b6194b4)
This PR changes the grok pattern for the nginx access logs ingest file in a way, that it retrieves the correct IP if the X-Forwarded-For header was logged into instead of the remote_addr variable.
The X-Forwarded-For header is a non standard header which creates a lists of IPs through which proxies the request has passed as well as the original clients IP and looks basically like this:
which results in a log line like this:
The new pattern retrieves the first IP, which is the important one, and matches non or all succeeding IPs that are concatinated with a comma and a space.