topic I think it can do it with &quot;X in Network Security https://community.cisco.com/t5/network-security/original-client-ip/m-p/2698342#M1027063 <P>I think it can do it with "X-Forwarded-For" header but not "Original Client IP" header.&nbsp;</P> <P>https://www.cisco.com/c/dam/en/us/td/docs/security/firesight/531/PDFs/FireSIGHT-System-eStreamer-Integration-Guide-5-3-1.pdf &nbsp;page 77 of the pdf shows the detail on the Extra Data&nbsp;records and XFF for IPv4 and IPv6.</P> <P>my understanding is that estreamer will only send it if the SIEM is requesting "Extra Data" from Sourcefire.</P> Wed, 04 Nov 2015 16:00:06 GMT jmoorhouse 2015-11-04T16:00:06Z Original Client IP https://community.cisco.com/t5/network-security/original-client-ip/m-p/2698341#M1027062 <DIV id="caseSummaryDescription" style="margin: 0px; padding: 0px; font-family: Arial, Helvetica; font-size: 12px; word-break: break-all; line-height: normal; background-color: rgb(241, 244, 247);">We send Discovery Events, Intrusion Event Packet Data, Intrusion Events &amp; Intrusion Event Extra Data using the estreamer client into our SIEM tool.<BR /><BR />I cannot find the "Original Client IP" address field in my SIEM. Does the streamer client actually send this field?</DIV><DIV style="margin: 0px; padding: 0px; font-family: Arial, Helvetica; font-size: 12px; word-break: break-all; line-height: normal; background-color: rgb(241, 244, 247);">&nbsp;</DIV><DIV style="margin: 0px; padding: 0px; font-family: Arial, Helvetica; font-size: 12px; word-break: break-all; line-height: normal; background-color: rgb(241, 244, 247);">I have it enabled in the HTTP pre-processor policy but don't see it listed as an option and I see the field populated in the Intrusion Events tab.</DIV> Tue, 26 Mar 2019 01:15:46 GMT https://community.cisco.com/t5/network-security/original-client-ip/m-p/2698341#M1027062 gordonwright 2019-03-26T01:15:46Z I think it can do it with "X https://community.cisco.com/t5/network-security/original-client-ip/m-p/2698342#M1027063 <P>I think it can do it with "X-Forwarded-For" header but not "Original Client IP" header.&nbsp;</P> <P>https://www.cisco.com/c/dam/en/us/td/docs/security/firesight/531/PDFs/FireSIGHT-System-eStreamer-Integration-Guide-5-3-1.pdf &nbsp;page 77 of the pdf shows the detail on the Extra Data&nbsp;records and XFF for IPv4 and IPv6.</P> <P>my understanding is that estreamer will only send it if the SIEM is requesting "Extra Data" from Sourcefire.</P> Wed, 04 Nov 2015 16:00:06 GMT https://community.cisco.com/t5/network-security/original-client-ip/m-p/2698342#M1027063 jmoorhouse 2015-11-04T16:00:06Z