Nginx x-forwarded-for header array

(Chinmay Pandya) #1

I am collecting nginx logs in graylog. one of the log field is xff header.

Now xff header can have the unpredictable amount of ips.

Some time string is like “xff=” and some time is like “xff=,” and some time reaches up to 5 ips.

Now I want to parse them into different fields. Do not know how to do it.

What I want is for “xff=” it should be “xff1=” and for “xff=,” it should be “xff1=, xff2=”.

Is it possible? or someone has any other idea?

(Jochen) #2

You could probably use the split() function to split the contents of the “xff” field into a list.

(Chinmay Pandya) #3

Can you show me a sample pipeline or extractor code for this?

(Jochen) #4


rule "split-xff"
  let xff_orig = to_string($message.xff);
  let xff = split(",\\s*", xff_orig);
  set_field("xff", xff);

(system) closed #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.