Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nginx module: use first not private IP address as remote_ip #4417

Merged
merged 1 commit into from
Jun 2, 2017

Conversation

tsg
Copy link
Contributor

@tsg tsg commented May 29, 2017

A common customization to the nginx logs is to add the contents
of the X-Forwarded-For header in front of the remote IPs. This
typically results in a list of remote IPs.

This adds a new field remote_ip_list which is an array, and uses
a Painless script to automatically select the first non-private
IP for the remote_ip field, which is the field on which GeoIP is
applied.

Fixes #4322.

@tsg tsg added Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. review v5.5.0 v6.0.0-alpha2 labels May 29, 2017
@tsg tsg force-pushed the nginx_use_first_non_private_ip branch from 13a3b52 to 038ae1e Compare May 29, 2017 22:30
}
<<<<<<< HEAD
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please check this, there is a bad merge and tests are failing

@tsg tsg force-pushed the nginx_use_first_non_private_ip branch from 038ae1e to c1eadae Compare May 30, 2017 08:15
=== nginx.access.remote_ip

type: keyword

Client IP address.
Client IP address. The first non-private IP address from the `remote_ip_list` is preferred. If no public IP addresses are present, the first from the `remote_ip_list` array.
Copy link
Contributor

@dedemorton dedemorton May 30, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So if there are no public IP addresses in remote_ip_list, this field contains a private IP address, right? If that's true, we should be a bit more direct here and say something like:

The first public IP address from the remote_ip_list array. If no public IP addresses are present, this field contains the first private IP address from the remote_ip_list array.

@tsg tsg force-pushed the nginx_use_first_non_private_ip branch from c1eadae to 5e8f61e Compare May 31, 2017 10:18
A common customization to the nginx logs is to add the contents
of the X-Forwarded-For header in front of the remote IPs. This
typically results in a list of remote IPs.

This adds a new field `remote_ip_list` which is an array, and uses
a Painless script to automatically select the first non-private
IP for the `remote_ip` field, which is the field on which GeoIP is
applied.

Fixes elastic#4322.
@tsg tsg force-pushed the nginx_use_first_non_private_ip branch from 5e8f61e to 9011ed7 Compare May 31, 2017 10:19
@tsg
Copy link
Contributor Author

tsg commented May 31, 2017

Comments addressed.

Copy link
Contributor

@exekias exekias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@exekias exekias merged commit a2c162f into elastic:master Jun 2, 2017
@tsg tsg added v5.6.0 and removed v5.5.0 labels Jul 19, 2017
tsg added a commit to tsg/beats that referenced this pull request Jul 19, 2017
…4417)

A common customization to the nginx logs is to add the contents
of the X-Forwarded-For header in front of the remote IPs. This
typically results in a list of remote IPs.

This adds a new field `remote_ip_list` which is an array, and uses
a Painless script to automatically select the first non-private
IP for the `remote_ip` field, which is the field on which GeoIP is
applied.

Fixes elastic#4322.
(cherry picked from commit a2c162f)
@tsg tsg removed the needs_backport PR is waiting to be backported to other branches. label Jul 19, 2017
exekias pushed a commit that referenced this pull request Jul 19, 2017
…ess as remote_ip (#4703)

* Nginx module: use first not private IP address as remote_ip (#4417)

A common customization to the nginx logs is to add the contents
of the X-Forwarded-For header in front of the remote IPs. This
typically results in a list of remote IPs.

This adds a new field `remote_ip_list` which is an array, and uses
a Painless script to automatically select the first non-private
IP for the `remote_ip` field, which is the field on which GeoIP is
applied.

Fixes #4322.
(cherry picked from commit a2c162f)
redcinelli added a commit to redcinelli/integrations that referenced this pull request Jul 18, 2022
This Pr is heavily inpired by the work done in [this PR](elastic/beats#4417)
It is adressing [this ER](elastic/enhancements#14402).

`Grok` pattern has been updated to match logs starting with a list of IP
adresses and store all those ip in `apache.access.remote_ip`.
This pattern is heavily insipred by the one in the nginx integration.

I also decided to fill a new field `network.forwarded_ip` as it seems to
be the perfect fit.
redcinelli added a commit to elastic/integrations that referenced this pull request Aug 29, 2022
#3251)

* Update: Add support for x_forwarded_for headers in apaches access logs

This Pr is heavily inpired by the work done in [this PR](elastic/beats#4417)
It is adressing [this ER](elastic/enhancements#14402).

`Grok` pattern has been updated to match logs starting with a list of IP
adresses and store all those ip in `apache.access.remote_ip`.
This pattern is heavily insipred by the one in the nginx integration.

I also decided to fill a new field `network.forwarded_ip` as it seems to
be the perfect fit.

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants