Traffic and Threat Log doens't correctly translate the Source IP / X-Forwarded-For Value
paulkilla opened this issue · 3 comments
Describe the bug
When sending Traffic and Threat Logs (potentially others) with the X-Forwarded-For Header set in the log traffic the Palo Splunk Add-On isn't pulling out that data into client_ip or a new value?
We can see the XFF header value in the _raw log format, so the data is there and we can do our own transforming to pull it out if required, but a set solution as part of the Add-On would be beneficial.
Expected behavior
The XFF header is pulled out as a new value, e.g. xff_ip?
Current behavior
The XFF header isn't pulled out of the _raw log entry, so is not easily searchable or reportable.
Steps to reproduce
- Setup a proxy/load balancer and set the XFF header.
- Can see XFF header in Monitor Tab on firewalls logs
- Can see XFF header value in _raw log entry
- XFF value not pulled out as a specified field.
Thanks
As a note, looking at my _raw log and the transforms extract fields my raw logs have an additional 54 fields that aren't mapped in the transforms.conf (Traffic log sourcetype)
Also looks like extra fields where added in recent versions.