Packetbeat missing client_location

[sherry-ger]

• Version: 1.1.2
• Steps to Reproduce:
  Using a real_ip address like the following

"real_ip" : "64.xx.xxx.xxx, 10.xxx.xxx.xx, 10.xxx.xxx.xx, 10.xxx.xxx.xx"

Packetbeat was not able to resolve the real_ip to aclient_location even though it contains a valid external ip. X-F-F can be any number of entries long. Packetbeat should be able to handle it appropriately.

[andrewkroh]

This occurs when multiple layers of proxies are involved in a request.

This can be reproduced with:

curl -H "X-Forwarded-For: 123.123.123.123, 10.1.2.3, 10.3.4.5" http://google.com

{
  "@timestamp": "2016-03-25T00:32:01.852Z",
  "beat": {
    "hostname": "macbook",
    "name": "macbook"
  },
  "bytes_in": 128,
  "bytes_out": 540,
  "client_ip": "10.18.6.70",
  "client_port": 53424,
  "client_proc": "",
  "client_server": "",
  "count": 1,
  "direction": "out",
  "http": {
    "code": 301,
    "content_length": 219,
    "phrase": "Permanently"
  },
  "ip": "216.58.219.238",
  "method": "GET",
  "params": "",
  "path": "/",
  "port": 80,
  "proc": "",
  "query": "GET /",
  "real_ip": "123.123.123.123, 10.1.2.3, 10.3.4.5",
  "responsetime": 38,
  "server": "",
  "status": "OK",
  "type": "http"
}

The real_ip is the first value in the list. So we need to post-process the header value a bit.