We're using HAProxy as a load balancer at layer 7 so that we can terminate SSL and inspect the traffic with Snort. The problem is that Snort sees the load balancer as the source instead of the original client. We've added X-Forward-For header but can't find a way to make snort write its logs with this as the src.

We set enable_xff in the snort configs, but this only puts the IP in the unified log in the Extra Data section. It isn't included in the standard syslog.

The unified log is binary and the tool that we need to read the snort logs can't process it.

Is there a way to force snort to write the correct IP in its logs?

Brad R
  • 45
  • 5
  • I doubt such functionality would exist in Snort, because that would require Snort to use Layer 7 information when logging layer 3 events. – Tero Kilkanen Aug 12 '20 at 19:43

1 Answers1


Might be too late, but this link can be useful:


Taken from the link above:

The default X-Forwarded-For and True-Client-IP headers are always present. They may be explicitly specified in the xff_headers config in order to determine their priority. If not specified, they will be automatically added to the xff list as the lowest priority headers.

For example, let us say that we have the following (abbreviated) HTTP request header:

... Host: www.snort.org X-Forwarded-For: X-Was-Originally-Forwarded-From: ...

With the default xff behavior (no xff_headers), the ‘X-Forwarded-For’ header would be used to provide a Original Client IP address in the unified2 log. Custom headers are not parsed.


xff_headers { [ x-was-originally-forwarded-from 1 ] [ x-another-forwarding-header 2 ] [ x-forwarded-for 3 ] }

The X-Was-Originally-Forwarded-From header is the highest priority present and its value of will be logged as the Original Client IP in the unified2 log.

But with:

xff_headers { [ x-was-originally-forwarded-from 3 ] [ x-another-forwarding-header 2 ] [ x-forwarded-for 1 ] } 

Now the X-Forwarded-For header is the highest priority and its value of is logged.