diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 744f93a8b96..63121591ad5 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -55,6 +55,7 @@ https://github.com/elastic/beats/compare/v1.1.2...master[Check the HEAD diff]
 - Allow PF_RING sniffer type to be configured using pf_ring or pfring {pull}671[671]
 - Create a proper BPF filter when ICMP is the only enabled protocol {issue}757[757]
 - Check column length in pgsql parser. {issue}565{565
+- Split real_ip_header value when it contains multiple IPs {pull}1241[1241]
 
 *Topbeat*
 - Fix issue with cpu.system_p being greater than 1 on Windows {pull}1128[1128]
diff --git a/packetbeat/protos/http/http_parser.go b/packetbeat/protos/http/http_parser.go
index 47ee3d87582..4f9021a8c46 100644
--- a/packetbeat/protos/http/http_parser.go
+++ b/packetbeat/protos/http/http_parser.go
@@ -330,7 +330,9 @@ func (parser *parser) parseHeader(m *message, data []byte) (bool, bool, int) {
 				m.connection = headerVal
 			}
 			if len(config.RealIPHeader) > 0 && bytes.Equal(headerName, []byte(config.RealIPHeader)) {
-				m.RealIP = headerVal
+				if ips := bytes.SplitN(headerVal, []byte{','}, 2); len(ips) > 0 {
+					m.RealIP = trim(ips[0])
+				}
 			}
 
 			if config.SendHeaders {
diff --git a/packetbeat/tests/system/pcaps/http_x_forwarded_for.pcap b/packetbeat/tests/system/pcaps/http_x_forwarded_for.pcap
new file mode 100644
index 00000000000..19f081c54a2
Binary files /dev/null and b/packetbeat/tests/system/pcaps/http_x_forwarded_for.pcap differ
diff --git a/packetbeat/tests/system/test_0008_realip.py b/packetbeat/tests/system/test_0008_realip.py
index 93de850751d..5b55f73d3a6 100644
--- a/packetbeat/tests/system/test_0008_realip.py
+++ b/packetbeat/tests/system/test_0008_realip.py
@@ -23,3 +23,20 @@ def test_x_forward_for(self):
 
         assert o["real_ip"] == "89.247.39.104"
         assert o["client_location"] == "52.528503, 13.410904"
+
+    def test_x_forwarded_for_multiple_ip(self):
+        self.render_config_template(
+            http_ports=[80],
+            http_real_ip_header="X-Forwarded-For",
+            http_send_all_headers=True,
+            geoip_paths=["geoip_city.dat"]
+        )
+        self.copy_files(["geoip_city.dat"])
+        self.run_packetbeat(pcap="http_x_forwarded_for.pcap", debug_selectors=["http"])
+
+        objs = self.read_output()
+        assert len(objs) == 1
+        o = objs[0]
+
+        assert o["real_ip"] == "89.247.39.104"
+        assert o["client_location"] == "52.528503, 13.410904"