Nginx x-forwarded-for header array


(Chinmay Pandya) #1

I am collecting nginx logs in graylog. one of the log field is xff header.

Now xff header can have the unpredictable amount of ips.

Some time string is like “xff=1.1.1.1” and some time is like “xff=2.2.2.2, 1.1.1.1” and some time reaches up to 5 ips.

Now I want to parse them into different fields. Do not know how to do it.

What I want is for “xff=1.1.1.1” it should be “xff1=1.1.1.1” and for “xff=2.2.2.2, 1.1.1.1” it should be “xff1=2.2.2.2, xff2=1.1.1.1”.

Is it possible? or someone has any other idea?


(Jochen) #2

You could probably use the split() function to split the contents of the “xff” field into a list.


(Chinmay Pandya) #3

Can you show me a sample pipeline or extractor code for this?


(Jochen) #4

Sure:

rule "split-xff"
when
  has_field("xff")
then
  let xff_orig = to_string($message.xff);
  let xff = split(",\\s*", xff_orig);
  set_field("xff", xff);
end

(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.