Has anyone been able to log the the original client ip in Sourcefire logs from traffic coming through a VIP in the eStreamer index?
We can see the original IP in the packet information in the FMC but are unable to get it to send in the logs to Splunk, all we get is the VIP ip address in the source ip field.
We have tested this on both the eStreamer app and the encore app in our instance, and original client ip is turned on in Sourcefire
Any help would be appreciated
Any update on this?