fix: add remote_addr to IP field lookup so http/https/k8s events are attributed correctly
Templates for http, https, k8s, and docker_api log the client IP as remote_addr (Flask's request.remote_addr) instead of src_ip. The collector and correlation parser only checked src_ip/src/client_ip/remote_ip/ip, so every request event from those services was stored with attacker_ip="Unknown" and never associated with any attacker profile. Adding remote_addr to _IP_FIELDS in both collector/worker.py and correlation/parser.py fixes attribution. The profiler cursor was also reset to 0 so the worker performs a cold rebuild and re-ingests existing events with the corrected field mapping.
This commit is contained in:
@@ -114,7 +114,7 @@ _RFC5424_RE = re.compile(
|
|||||||
)
|
)
|
||||||
_SD_BLOCK_RE = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
|
_SD_BLOCK_RE = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
|
||||||
_PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
|
_PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
|
||||||
_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "ip")
|
_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "remote_addr", "ip")
|
||||||
|
|
||||||
|
|
||||||
def parse_rfc5424(line: str) -> Optional[dict[str, Any]]:
|
def parse_rfc5424(line: str) -> Optional[dict[str, Any]]:
|
||||||
|
|||||||
@@ -38,7 +38,7 @@ _SD_BLOCK_RE = re.compile(r'\[decnet@55555\s+(.*?)\]', re.DOTALL)
|
|||||||
_PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
|
_PARAM_RE = re.compile(r'(\w+)="((?:[^"\\]|\\.)*)"')
|
||||||
|
|
||||||
# Field names to probe for attacker IP, in priority order
|
# Field names to probe for attacker IP, in priority order
|
||||||
_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "ip")
|
_IP_FIELDS = ("src_ip", "src", "client_ip", "remote_ip", "remote_addr", "ip")
|
||||||
|
|
||||||
|
|
||||||
@dataclass
|
@dataclass
|
||||||
|
|||||||
Reference in New Issue
Block a user