All Apps and Add-ons

Has anyone been able to extract XFF with the estreamer or encore client?

Engager

Has anyone been able to log the the original client ip in Sourcefire logs from traffic coming through a VIP in the eStreamer index?

We can see the original IP in the packet information in the FMC but are unable to get it to send in the logs to Splunk, all we get is the VIP ip address in the source ip field.

We have tested this on both the eStreamer app and the encore app in our instance, and original client ip is turned on in Sourcefire

Any help would be appreciated

Engager

Any update on this?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!