Project

logstash-filter-real_ip

0.0
No commit activity in last 3 years
No release in over 3 years
logstash-filter-real_ipfholzer/logstash-filter-real_ipHomepageDocumentationSource CodeBug TrackerWiki
See https://github.com/fholzer/logstash-filter-real_ip/blob/master/README.md for details.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
5,383
Stars
1
Forks
0
Watchers
1
 Releases
Current version
0.2.0
Total releases
3
First release
2018-06-04
Latest release
2018-07-11
 Issues
Open Issues
1
Closed Issues
1
Total Issues
2
Issue Closure Rate
50%
 Development
Primary Language
Ruby
Licenses
Apache-2.0
Average date of last 50 commits
2018-07-31
Reverse Dependencies
0

 Dependencies

Development

logstash-devutils
>= 0

Runtime

logstash-core-plugin-api
~> 2.0
 Project Readme

Evaluate an HTTP request's client address like Apache httpd's mod_remoteip or Nginx's realip module.

For an event like this...

{
  "remote_addr" => "10.1.1.1"
  "x_fwd_for" => ["1.2.3.4", "10.2.2.2"]
}

...an example configuration looks like so:

filter {
  real_ip {
    remote_address_field => "remote_addr"
    x_forwarded_for_field => "x_fwd_for"
    trusted_networks => [
      "10.0.0.0/8",
      "192.168.0.0/16"
    ]
  }
}

This will evaluate the real client IP, writing it to a new field "realip". For above example event that would be "1.2.3.4"

Often web servers don't provide the value of the X-Forwarded-For header as an array. For ease of use the real_ip plugin provides capabilities to parse such a comma-separated string. To enable this feature, use the x_forwarded_for_is_string option.

For an event like this...

{
  "remote_addr" => "10.1.1.1"
  "x_fwd_for" => "1.2.3.4, 10.2.2.2"
}

...an example configuration looks like so:

filter {
  real_ip {
    remote_address_field => "remote_addr"
    x_forwarded_for_field => "x_fwd_for"
    x_forwarded_for_is_string => true
    trusted_networks => [
      "10.0.0.0/8",
      "192.168.0.0/16"
    ]
  }
}

In case the plugin fails to evaluate the real client IP, it will add a tag to the event, by default _real_ip_lookup_failure. The plugin will fail if one of below it true:

  • The remote_address field is absent.
  • The remote_address field doesn't contain an IP address.
  • The filter is configured using x_forwarded_for_is_string = true, but the x_forwarded_for field isn't a string.
  • The x_forwarded_for field contains anything other that IP addresses.

Evaluation behavior

The plugin checks whether the remote_address_field is trusted, if not, it will be written to target_field, and evaluation ends.

Otherwise each IP in the x_forwarded_for_field is checked, from right to left until an untrusted IP is encountered, which will be written to target_field and evaluation ends at that point.

In case remote_address_field and all IPs in x_forwarded_for_field are trusted, the left-most IP of the x_forwarded_for_field is written to target_field.

Configuration

remote_address_field
  • type: string
  • default: ""

Name of the field that contains the layer 3 remote IP address

x_forwarded_for_field
  • type: string
  • default: ""

Name of the field that contains the X-Forwarded-For header value

x_forwarded_for_is_string
  • type: boolean
  • default: false

Specifies whether the x_forwarded_for_field contains a comman-separated string instead of an array.

trusted_networks
  • type: array
  • default: []

A list of trusted networks addresses. Be sure that you only specify addresses that you trust will correctly manipulate the X-Forwarded-For header.

target_field
  • type: string
  • default: "real_ip"

Name of the field that this plugin will write the evaluated real client IP address to.

tags_on_failure
  • type: array
  • default: ["_real_ip_lookup_failure"]

In case of error during evaluation, these tags will be set.