[F5 BIG-IP]: No support for multiple X-Forwarded-For IP Adresses

[willem-dhaese]

Integration Name

F5 BIG-IP [f5_bigip]

Dataset Name

f5_bigip.log

Integration Version

1.18.1

Agent Version

8.14.3

Agent Output Type

elasticsearch

Elasticsearch Version

8.14.3

OS Version and Architecture

RHEL9

Software/API Version

No response

Error Message

Processor convert with tag convert_x_forwarded_for_header_value_to_ip in pipeline logs-f5_bigip.log-1.18.1-pipeline_bigipasm failed with message: '10.43.24.23, 10.43.24.24' is not an IP string literal.

Event Original

{
    "attack_type": "N/A",
    "blocking_exception_reason": "N/A",
    "captcha_result": "not_received",
    "date_time": "2024-08-06T10:03:36.000Z",
    "dest_ip": "10.30.4.56",
    "dest_port": "443",
    "device_id": "N/A",
    "fragment": "",
    "geo_location": "N/A",
    "hostname": "f5qa",
    "http_class_name": "/Common/asmpolicy_lampqa",
    "ip_address_intelligence": "N/A",
    "ip_client": "10.43.24.23",
    "management_ip_address": "10.52.34.33",
    "management_ip_address_2": "N/A",
    "method": "HEAD",
    "microservice": "N/A",
    "originalRawData": "\u003c134\u003eAug  6 12:03:36 f5qa ASM:unit_hostname=\"f5qa\",management_ip_address=\"10.52.34.33\",management_ip_address_2=\"N/A\",http_class_name=\"/Common/asmpolicy_lampqa\",web_application_name=\"/Common/asmpolicy_lampqa\",policy_name=\"/Common/asmpolicy_lampqa\",policy_apply_date=\"2024-07-02 16:43:55\",violations=\"N/A\",support_id=\"5410866668007843666\",request_status=\"passed\",response_code=\"200\",ip_client=\"10.43.24.23\",route_domain=\"0\",method=\"HEAD\",protocol=\"HTTPS\",query_string=\"\",x_forwarded_for_header_value=\"10.43.24.23, 10.43.24.23\",sig_ids=\"N/A\",sig_names=\"N/A\",date_time=\"2024-08-06 12:03:36\",severity=\"Informational\",attack_type=\"N/A\",geo_location=\"N/A\",ip_address_intelligence=\"N/A\",username=\"N/A\",session_id=\"7a60af492530220b\",src_port=\"50668\",dest_port=\"443\",dest_ip=\"10.30.4.56\",sub_violations=\"N/A\",virus_name=\"N/A\",violation_rating=\"0\",websocket_direction=\"N/A\",websocket_message_type=\"N/A\",device_id=\"N/A\",staged_sig_ids=\"\",staged_sig_names=\"\",threat_campaign_names=\"N/A\",staged_threat_campaign_names=\"N/A\",blocking_exception_reason=\"N/A\",captcha_result=\"not_received\",microservice=\"N/A\",tap_event_id=\"N/A\",tap_vid=\"N/A\",vs_name=\"/Common/vs_externalqa13_443\",sig_cves=\"N/A\",staged_sig_cves=\"N/A\",uri=\"/repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar\",fragment=\"\",request=\"HEAD /repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar HTTP/1.1\\r\\nCache-Control: no-cache, no-store\\r\\nPragma: no-cache\\r\\nHost: domain.gent\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Apache-Maven/3.9.7 (Java 17.0.12; Windows 11 10.0)\\r\\nAccept-Encoding: gzip,deflate\\r\\nAuthorization: Basic dc2VydmljZWZhY3Rvcnk6TE1YaHZwRUxhRjJodEFScWFQkkk=\\r\\nX-Forwarded-For: 10.43.24.23, 10.43.24.23\\r\\nX-Forwarded-Proto: https\\r\\n\\r\\n\",response=\"Response logging disabled\"",
    "policy_apply_date": "2024-07-02 16:43:55",
    "policy_name": "/Common/asmpolicy_lampqa",
    "protocol": "HTTPS",
    "query_string": "",
    "request": "HEAD /repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar HTTP/1.1\\r\\nCache-Control: no-cache, no-store\\r\\nPragma: no-cache\\r\\nHost: domain.gent\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Apache-Maven/3.9.7 (Java 17.0.12; Windows 11 10.0)\\r\\nAccept-Encoding: gzip,deflate\\r\\nAuthorization: Basic dc2VydmljZWZhY3Rvcnk6TE1YaHZwRUxhRjJodEFScWFQkkk=\\r\\nX-Forwarded-For: 10.43.24.23, 10.43.24.24\\r\\nX-Forwarded-Proto: https\\r\\n\\r\\n",
    "request_status": "passed",
    "response": "Response logging disabled",
    "response_code": "200",
    "route_domain": "0",
    "session_id": "7a60af492530220b",
    "severity": "Informational",
    "sig_cves": "N/A",
    "sig_ids": "N/A",
    "sig_names": "N/A",
    "src_port": "50668",
    "staged_sig_cves": "N/A",
    "staged_sig_ids": "",
    "staged_sig_names": "",
    "staged_threat_campaign_names": "N/A",
    "sub_violations": "N/A",
    "support_id": "5410868666607846666",
    "tap_event_id": "N/A",
    "tap_vid": "N/A",
    "telemetryEventCategory": "ASM",
    "tenant": "Common",
    "threat_campaign_names": "N/A",
    "uri": "/repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar",
    "username": "N/A",
    "violation_rating": "0",
    "violations": "N/A",
    "virus_name": "N/A",
    "vs_name": "/Common/vs_externalqa13_443",
    "web_application_name": "/Common/asmpolicy_lampqa",
    "websocket_direction": "N/A",
    "websocket_message_type": "N/A",
    "x_forwarded_for_header_value": "10.43.24.23, 10.43.24.24"
}

What did you do?

Normal f5_bigip.log integration setup

What did you see?

f5_bigip.log.x_forwarded_for_header_value is not indexed correctly.

What did you expect to see?

Correctly parsed X-Forwarded-For and no errors.

Anything else?

No response

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)