Ahh, thank you! This is very helpful. I was using the following search which is only showing the LB IP address: index=_audit action="login attempt" info=failed When I look at the web_access logs I do indeed see the correct information now: index=_internal source="*web_access.log" I'll see if I can poke around today and figure out if there is any way to modify the login attempt entries to check for an XFF header first and if I find anything I'll share with the community. Thanks for the help, andrewcg! ... View more

Hey andrewcg or m1k34Splunk, Did you make this change on the search heads themselves? I did it on my search heads and it doesn't appear to be working. I tried including it in atoms['h'] and the access_log write itself (I even tried injecting it into both spots once). Restarted splunkweb after each change but neither seems to have any effect. Still shows the VIP from my load balancer. I'm also on 6.6.x. I feel like I must be missing something silly here. Thanks! ... View more