diff --git a/decnet/collector/worker.py b/decnet/collector/worker.py
index 1e97db7..63c6018 100644
--- a/decnet/collector/worker.py
+++ b/decnet/collector/worker.py
@@ -114,7 +114,7 @@ _RFC5424_RE = re.compile(
 )
 _SD_BLOCK_RE = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
 _PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
-_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "ip")
+_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "remote_addr", "ip")
 
 
 def parse_rfc5424(line: str) -> Optional[dict[str, Any]]:
diff --git a/decnet/correlation/parser.py b/decnet/correlation/parser.py
index e457254..b6b95ac 100644
--- a/decnet/correlation/parser.py
+++ b/decnet/correlation/parser.py
@@ -38,7 +38,7 @@ _SD_BLOCK_RE = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
 _PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
 
 # Field names to probe for attacker IP, in priority order
-_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "ip")
+_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "remote_addr", "ip")
 
 
 @dataclass