Hi Daniele,
your client has to set the "host" field of the GELF message
correctly:
http://docs.graylog.org/en/2.1/pages/gelf.html#gelf-format-specification
Cheers,
Jochen
On Monday, 26 September 2016 10:50:17 UTC+2, Daniele wrote:
>
> Hi,
>
> we're using nginx as reverse proxy in front of our graylog server. This
> works fine beside logging the clients IP address.
> Following rule adds the IP address to our GELF http input:
>
> rule "add ip"
> when
> true
> then
> set_field("ip", to_ip($message.gl2_remote_ip));
> end
>
> If we post data to the input-ip / port combination
> (http://<*ip>*:*12202*/gelf)
> it works as expected.
>
> We configured our nginx as reverse proxy as follows:
>
> server {
> listen 443 ssl;
> server_name log-input.server-name.de;
>
> ssl_certificate_key /etc/ssl/server.key;
> ssl_certificate /etc/ssl/server.crt;
>
> error_log /var/log/nginx/error.log debug;
>
> location / {
> proxy_pass http://127.0.0.1:12202;
> proxy_redirect off;
>
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Host $host:443;
>
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-Port 443;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header X-Scheme $scheme;
>
> # testing remote addr combinations
> proxy_set_header REMOTE_ADDR $remote_addr;
> proxy_set_header Remote_Addr $remote_addr;
> # /testing remote addr combinations
>
> proxy_pass_request_headers on;
> proxy_connect_timeout 150;
> proxy_send_timeout 100;
> proxy_read_timeout 100;
> proxy_buffers 4 32k;
> client_max_body_size 8m;
> client_body_buffer_size 128k;
> }
> }
>
>
>
> Unfortunately the logging result with post-requests to *https://log-input
> <https://log-input>.<server-name>.de/gelf* shows 127.0.0.1 as IP address,
> instead of the real client *$remote_addr*.
> The activated debug log (*/var/log/nginx/error.log*) shows the IP address
> correctly. It seems that *gl2_remote_ip* does not handle HTTP headers as
> expected.
>
> Has someone a solution for our problem?
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/93ed7b59-2c8e-4566-928e-34341d6f6d9b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
