I have a scenario where I'm trying to try web browsing traffic that the packet decoder is picking up and matching it to the logs that the proxy server generate.
Here is a crude diagram
Client --------> <--- Loadbalancer ---> <--- ProxyServer ---> Internet
- Client connects to internal interface of the load balancer.
- external interface of load balancer talks to Proxy server
- Proxy server talks to Internet.
- The connection to the load balancer from the client is picked up via the packet decoder/concentrator and meta is being generated showing the ip.dst as being the internal interface of the load balancer
- The proxy server generates syslog that shows all the information you'd expect from a proxy server (URL, user-agent, user-id, etc). This logs shows the ip.src as being the external interface of the load balancer. The logs are being fed into the log decoder/concentrator and generating meta as such.
What I'm trying to accomplish is connecting these two sources of data into a single query so that I can piece together the entire traffic flow from client to internet, and I'm not sure how to do it.
If I search the proxy logs for say my username I can see all the sites I've visited etc, but it shows the ip.src as being the external interface to the load balancer.
Conversally if I search for my workstation IP address, I can see my packet traffic to the internal interface of the load balancer, but it doesn't show the proxy traffic.
I welcome any suggestions to help solve my particlaur use case.