Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick #4351 to 5.x: Change grok pattern to fetch correct IP from X-Forwarded-For list #4706

Merged
merged 2 commits into from
Jul 19, 2017

Conversation

tsg
Copy link
Contributor

@tsg tsg commented Jul 19, 2017

Cherry-pick of PR #4351 to 5.x branch. Original message:

This PR changes the grok pattern for the nginx access logs ingest file in a way, that it retrieves the correct IP if the X-Forwarded-For header was logged into instead of the remote_addr variable.

The X-Forwarded-For header is a non standard header which creates a lists of IPs through which proxies the request has passed as well as the original clients IP and looks basically like this:

X-Forwarded-For: client1, proxy1, proxy2

which results in a log line like this:

192.228.32.190, 108.162.246.21, 127.0.0.1 - - [15/May/2017:12:16:27 +0200] "GET /jobs/24237/it-back-end HTTP/1.1" 301 5 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

The new pattern retrieves the first IP, which is the important one, and matches non or all succeeding IPs that are concatinated with a comma and a space.

…astic#4351)

* Change grok pattern to fetch correct IP from X-Forwarded-For list.

* Document change to the nginx module in the changelog.

* Add tests for nginx access log.

(cherry picked from commit b6194b4)
@tsg
Copy link
Contributor Author

tsg commented Jul 19, 2017

The code change in this one was already done, but this copies the test files from master to make sure everything is ok.

@tsg tsg mentioned this pull request Jul 19, 2017
@andrewkroh andrewkroh merged commit b7a6778 into elastic:5.x Jul 19, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants