anti
a4798946c1
Templates for http, https, k8s, and docker_api log the client IP as remote_addr (Flask's request.remote_addr) instead of src_ip. The collector and correlation parser only checked src_ip/src/client_ip/remote_ip/ip, so every request event from those services was stored with attacker_ip="Unknown" and never associated with any attacker profile. Adding remote_addr to _IP_FIELDS in both collector/worker.py and correlation/parser.py fixes attribution. The profiler cursor was also reset to 0 so the worker performs a cold rebuild and re-ingests existing events with the corrected field mapping.
12 KiB
12 KiB