As i understand, Proxywatch feature should correlate the external proxied IP/port with the real client IP/port, so that we get to know the real user IP that corresponds to a specific proxied access as seen from outside the proxy.
I am using WSA with Stealthwatch in my case, where WSA sends proxy logs in W3C format to FC.
The question is:
How does stealthwatch correlate the external and internal proxy connections ? Based on which fields ?
Thanks in advance.