-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nginx module: use first not private IP address as remote_ip #4417
Conversation
13a3b52
to
038ae1e
Compare
} | ||
<<<<<<< HEAD |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please check this, there is a bad merge and tests are failing
038ae1e
to
c1eadae
Compare
filebeat/docs/fields.asciidoc
Outdated
=== nginx.access.remote_ip | ||
|
||
type: keyword | ||
|
||
Client IP address. | ||
Client IP address. The first non-private IP address from the `remote_ip_list` is preferred. If no public IP addresses are present, the first from the `remote_ip_list` array. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So if there are no public IP addresses in remote_ip_list
, this field contains a private IP address, right? If that's true, we should be a bit more direct here and say something like:
The first public IP address from the remote_ip_list
array. If no public IP addresses are present, this field contains the first private IP address from the remote_ip_list
array.
c1eadae
to
5e8f61e
Compare
A common customization to the nginx logs is to add the contents of the X-Forwarded-For header in front of the remote IPs. This typically results in a list of remote IPs. This adds a new field `remote_ip_list` which is an array, and uses a Painless script to automatically select the first non-private IP for the `remote_ip` field, which is the field on which GeoIP is applied. Fixes elastic#4322.
5e8f61e
to
9011ed7
Compare
Comments addressed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…4417) A common customization to the nginx logs is to add the contents of the X-Forwarded-For header in front of the remote IPs. This typically results in a list of remote IPs. This adds a new field `remote_ip_list` which is an array, and uses a Painless script to automatically select the first non-private IP for the `remote_ip` field, which is the field on which GeoIP is applied. Fixes elastic#4322. (cherry picked from commit a2c162f)
…ess as remote_ip (#4703) * Nginx module: use first not private IP address as remote_ip (#4417) A common customization to the nginx logs is to add the contents of the X-Forwarded-For header in front of the remote IPs. This typically results in a list of remote IPs. This adds a new field `remote_ip_list` which is an array, and uses a Painless script to automatically select the first non-private IP for the `remote_ip` field, which is the field on which GeoIP is applied. Fixes #4322. (cherry picked from commit a2c162f)
This Pr is heavily inpired by the work done in [this PR](elastic/beats#4417) It is adressing [this ER](elastic/enhancements#14402). `Grok` pattern has been updated to match logs starting with a list of IP adresses and store all those ip in `apache.access.remote_ip`. This pattern is heavily insipred by the one in the nginx integration. I also decided to fill a new field `network.forwarded_ip` as it seems to be the perfect fit.
#3251) * Update: Add support for x_forwarded_for headers in apaches access logs This Pr is heavily inpired by the work done in [this PR](elastic/beats#4417) It is adressing [this ER](elastic/enhancements#14402). `Grok` pattern has been updated to match logs starting with a list of IP adresses and store all those ip in `apache.access.remote_ip`. This pattern is heavily insipred by the one in the nginx integration. I also decided to fill a new field `network.forwarded_ip` as it seems to be the perfect fit. Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
A common customization to the nginx logs is to add the contents
of the X-Forwarded-For header in front of the remote IPs. This
typically results in a list of remote IPs.
This adds a new field
remote_ip_list
which is an array, and usesa Painless script to automatically select the first non-private
IP for the
remote_ip
field, which is the field on which GeoIP isapplied.
Fixes #4322.