From 01d3df9c9847596e05da05f20c6e07ec3220076a Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 22 Feb 2022 14:22:58 +0100 Subject: [PATCH] log: rename http.xff to http.xff_header Ticket: 4860 So as to differentiate between .xff which is just one IP, depending on the configuration first or last, and .http.xff_header which is the complete header value --- doc/userguide/upgrade.rst | 1 + src/output-json-http.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 34aadc961e24..2e8ba6cd2b57 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -46,6 +46,7 @@ Logging changes - IKEv2 Eve logging changed, the event_type has become ``ike``. The fields ``errors`` and ``notify`` have moved to ``ike.ikev2.errors`` and ``ike.ikev2.notify``. - FTP DATA metadata for alerts are now logged in ``ftp_data`` instead of root. +- HTTP xff header is now logged as ``http.xff_header`` instead of ``http.xff`` while the root object ``.xff`` remains the same Other changes ~~~~~~~~~~~~~ diff --git a/src/output-json-http.c b/src/output-json-http.c index bb6bc0643408..62a35cd6cc58 100644 --- a/src/output-json-http.c +++ b/src/output-json-http.c @@ -229,7 +229,7 @@ static void EveHttpLogJSONBasic(JsonBuilder *js, htp_tx_t *tx) /* x-forwarded-for */ htp_header_t *h_x_forwarded_for = htp_table_get_c(tx->request_headers, "x-forwarded-for"); if (h_x_forwarded_for != NULL) { - jb_set_string_from_bytes(js, "xff", bstr_ptr(h_x_forwarded_for->value), + jb_set_string_from_bytes(js, "xff_header", bstr_ptr(h_x_forwarded_for->value), bstr_len(h_x_forwarded_for->value)); } }