I’m using Graylog 2.2.0 and have an HTTP input set up and taking data in.
The problem I have is that the gl2_remote_ip field of documents being stored is always 127.0.0.1 - no matter from which machine I am testing sending data from.
I believe this comes from the fact that I am using nginx as a reverse proxy in front of Graylog, so that I can have folks not worry about setting a port when sending data to graylog.
However, I was under the impression that, based on this part of the Graylog “Securing” documentation, I would just need to ensure nginx sets the X-Forwarded-For header (which I think I have set correctly in the above config). I have also set the trusted_proxies setting in my graylog.conf, like this:
As for setting the host field, in my particular case, not all of our applications sending data to Graylog have access to the client IP address (these are various kinds of JavaScript applications, operating in browser or hybrid mobile application environments). Ideally, I would not have to trouble the different development teams of all of our various applications to have to manually log the IP address of the running client. I think it should be technically possible to infer the IP address at a lower networking level from the graylog server.
Do you know if the GELF HTTP input supports inferring the IP address from any HTTP header at all? The old google groups post I linked to, it seems like the person from that post also tried setting the standard REMOTE_ADDR header manually in nginx to no avail.
If inferring the IP address from HTTP requests is missing from Graylog, can I help in adding it? I am happy to work with the Graylog team on GitHub to get this in place - it is important for me and my employer.
Finally, I think we should call out this behaviour (if it is unique to HTTP inputs) in the Graylog documentation. Once more, I am happy to assist in writing up the documentation. Just point me in the right direction on GitHub or elsewhere, I would be enthused to help out as Graylog is a radical product and I’d be excited to help the team in some way!
Additionally, there is an outstanding pull request to add support for pulling out IP info from the X-Forwarded-For header to GELF/HTTP inputs: https://github.com/Graylog2/graylog2-server/pull/3255. Too bad it’s sitting there idle…