BRO Queries: X-Forwarded-For=xxx.xxx.xxx.xxx

[Roger B]

BRO documentation shows proxied information and I see X-FORWARDED-FOR IP address info in ELSA logs. I can't seem to find the Bro option for reporting on this. Is there a way to extract this from ELSA? Thanks so much

module HTTP;

## A list of HTTP headers typically used to indicate proxied requests.
const proxy_headers: set[string] = {
"FORWARDED",
"X-FORWARDED-FOR",
"X-FORWARDED-FROM",
"CLIENT-IP",
"VIA",
"XROXY-CONNECTION",
"PROXY-CONNECTION",
} &redef;

[Roger B]

I figured it out........duh!!! Thanks!!!

[Vijay Sharma]

Hi Can you let me know how you accomplished this as i am in similar situation ?
unless i am missing something very obvious how we can get X-forward address in BRO http log ?