elastic · dainok · Jun 28, 2020 · Jul 3, 2020
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Added `http.forwarded_for`, `http.forwarded_host`, `http.forwarded_proto`. #874
+
 #### Improvements
 
 * Temporary workaround for Beats templates' `default_field` growing too big. #687

diff --git a/code/go/ecs/http.go b/code/go/ecs/http.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -2150,6 +2150,45 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the
 
 // ===============================================================
 
+| http.forwarded_for
+| HTTP X-Forwarded-For (XFF) header.
+
+The field is an array of mulitple IP addresses as reported in HTTP request (client to server, forwarded by the proxy).
+
+type: ip
+
+example: `['192.168.0.1', '192.168.100.3', '192.168.254.5']`
+
+| extended
+
+// ===============================================================
+
+| http.forwarded_host
+| HTTP X-Forwarded-Host (XFH) header.
+
+The field contains the original host requsted by the client. It should be a FQDN not an IP address.
+
+type: keyword
+
+example: `www.google.com`
+
+| extended
+
+// ===============================================================
+
+| http.forwarded_proto
+| HTTP X-Forwarded-Proto (XFP) header.
+
+The field contains the original protocol used by the client to request the resource.
+
+type: keyword
+
+example: `http, https`
+
+| extended
+
+// ===============================================================
+
 | http.request.body.bytes
 | Size in bytes of the request body.
 

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -1702,6 +1702,38 @@
       the url of the request.
     type: group
     fields:
+    - name: forwarded_for
+      level: extended
+      type: ip
+      description: 'HTTP X-Forwarded-For (XFF) header.
+
+        The field is an array of mulitple IP addresses as reported in HTTP request
+        (client to server, forwarded by the proxy).'
+      example:
+      - 192.168.0.1
+      - 192.168.100.3
+      - 192.168.254.5
+      default_field: false
+    - name: forwarded_host
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP X-Forwarded-Host (XFH) header.
+
+        The field contains the original host requsted by the client. It should be
+        a FQDN not an IP address.'
+      example: www.google.com
+      default_field: false
+    - name: forwarded_proto
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'HTTP X-Forwarded-Proto (XFP) header.
+
+        The field contains the original protocol used by the client to request the
+        resource.'
+      example: http, https
+      default_field: false
     - name: request.body.bytes
       level: extended
       type: long

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -214,6 +214,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description
 1.5.0-dev,true,host,host.user.id,keyword,core,,One or multiple unique identifiers of the user.
 1.5.0-dev,true,host,host.user.name,keyword,core,albert,Short name or login of the user.
 1.5.0-dev,true,host,host.user.name.text,text,core,albert,Short name or login of the user.
+1.5.0-dev,true,http,http.forwarded_for,ip,extended,"['192.168.0.1', '192.168.100.3', '192.168.254.5']",Array containing all IPs seen in HTTP X-Forwarded-For header.
+1.5.0-dev,true,http,http.forwarded_host,keyword,extended,www.google.com,The original host requested by the client
+1.5.0-dev,true,http,http.forwarded_proto,keyword,extended,"http, https",The original protocol used by the client
 1.5.0-dev,true,http,http.request.body.bytes,long,extended,887,Size in bytes of the request body.
 1.5.0-dev,true,http,http.request.body.content,keyword,extended,Hello world,The full HTTP request body.
 1.5.0-dev,true,http,http.request.body.content.text,text,extended,Hello world,The full HTTP request body.

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -2827,6 +2827,49 @@ host.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+http.forwarded_for:
+  dashed_name: http-forwarded-for
+  description: 'HTTP X-Forwarded-For (XFF) header.
+
+    The field is an array of mulitple IP addresses as reported in HTTP request (client
+    to server, forwarded by the proxy).'
+  example:
+  - 192.168.0.1
+  - 192.168.100.3
+  - 192.168.254.5
+  flat_name: http.forwarded_for
+  level: extended
+  name: forwarded_for
+  order: 0
+  short: Array containing all IPs seen in HTTP X-Forwarded-For header.
+  type: ip
+http.forwarded_host:
+  dashed_name: http-forwarded-host
+  description: 'HTTP X-Forwarded-Host (XFH) header.
+
+    The field contains the original host requsted by the client. It should be a FQDN
+    not an IP address.'
+  example: www.google.com
+  flat_name: http.forwarded_host
+  ignore_above: 1024
+  level: extended
+  name: forwarded_host
+  order: 1
+  short: The original host requested by the client
+  type: keyword
+http.forwarded_proto:
+  dashed_name: http-forwarded-proto
+  description: 'HTTP X-Forwarded-Proto (XFP) header.
+
+    The field contains the original protocol used by the client to request the resource.'
+  example: http, https
+  flat_name: http.forwarded_proto
+  ignore_above: 1024
+  level: extended
+  name: forwarded_proto
+  order: 2
+  short: The original protocol used by the client
+  type: keyword
 http.request.body.bytes:
   dashed_name: http-request-body-bytes
   description: Size in bytes of the request body.
@@ -2835,7 +2878,7 @@ http.request.body.bytes:
   format: bytes
   level: extended
   name: request.body.bytes
-  order: 7
+  order: 10
   short: Size in bytes of the request body.
   type: long
 http.request.body.content:
@@ -2851,7 +2894,7 @@ http.request.body.content:
     norms: false
     type: text
   name: request.body.content
-  order: 1
+  order: 4
   short: The full HTTP request body.
   type: keyword
 http.request.bytes:
@@ -2862,7 +2905,7 @@ http.request.bytes:
   format: bytes
   level: extended
   name: request.bytes
-  order: 6
+  order: 9
   short: Total size in bytes of the request (body and headers).
   type: long
 http.request.method:
@@ -2876,7 +2919,7 @@ http.request.method:
   ignore_above: 1024
   level: extended
   name: request.method
-  order: 0
+  order: 3
   short: HTTP request method.
   type: keyword
 http.request.referrer:
@@ -2887,7 +2930,7 @@ http.request.referrer:
   ignore_above: 1024
   level: extended
   name: request.referrer
-  order: 2
+  order: 5
   short: Referrer for this HTTP request.
   type: keyword
 http.response.body.bytes:
@@ -2898,7 +2941,7 @@ http.response.body.bytes:
   format: bytes
   level: extended
   name: response.body.bytes
-  order: 9
+  order: 12
   short: Size in bytes of the response body.
   type: long
 http.response.body.content:
@@ -2914,7 +2957,7 @@ http.response.body.content:
     norms: false
     type: text
   name: response.body.content
-  order: 4
+  order: 7
   short: The full HTTP response body.
   type: keyword
 http.response.bytes:
@@ -2925,7 +2968,7 @@ http.response.bytes:
   format: bytes
   level: extended
   name: response.bytes
-  order: 8
+  order: 11
   short: Total size in bytes of the response (body and headers).
   type: long
 http.response.status_code:
@@ -2936,7 +2979,7 @@ http.response.status_code:
   format: string
   level: extended
   name: response.status_code
-  order: 3
+  order: 6
   short: HTTP response status code.
   type: long
 http.version:
@@ -2947,7 +2990,7 @@ http.version:
   ignore_above: 1024
   level: extended
   name: version
-  order: 5
+  order: 8
   short: HTTP version.
   type: keyword
 labels: