Traffic and Threat Log doens't correctly translate the Source IP / X-Forwarded-For Value

[paulkilla]

Describe the bug

When sending Traffic and Threat Logs (potentially others) with the X-Forwarded-For Header set in the log traffic the Palo Splunk Add-On isn't pulling out that data into client_ip or a new value?

We can see the XFF header value in the _raw log format, so the data is there and we can do our own transforming to pull it out if required, but a set solution as part of the Add-On would be beneficial.

Expected behavior

The XFF header is pulled out as a new value, e.g. xff_ip?

Current behavior

The XFF header isn't pulled out of the _raw log entry, so is not easily searchable or reportable.

Steps to reproduce

1. Setup a proxy/load balancer and set the XFF header.
2. Can see XFF header in Monitor Tab on firewalls logs
3. Can see XFF header value in _raw log entry
4. XFF value not pulled out as a specified field.

Thanks

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!

[paulkilla]

As a note, looking at my _raw log and the transforms extract fields my raw logs have an additional 54 fields that aren't mapped in the transforms.conf (Traffic log sourcetype)

[paulkilla]

Also looks like extra fields where added in recent versions.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields