Forum Discussion
JG
Aug 07, 2018Cumulonimbus
This is a case of multiple XFF headers and you can't really know which contains the end-user address unless you know the addresses of the intermediate systems to filter them out. To log all the addresses locally, you can do:
when HTTP_REQUEST {
if { [HTTP::header values "X-Forwarded-For"] ne "" } {
log local0. "[HTTP::header values \"X-Forwarded-For\"]"
}
}
You will need to make some changes for remote logging.