AnsweredAssumed Answered

Need help in connecting logs and packets together

Question asked by Jeremy Kerwin on Nov 6, 2017

I have a scenario where I'm trying to try web browsing traffic that the packet decoder is picking up and matching it to the logs that the proxy server generate.

 

Here is a crude diagram

Client --------> <--- Loadbalancer ---> <--- ProxyServer ---> Internet

  1. Client connects to internal interface of the load balancer.
  2. external interface of load balancer talks to Proxy server
  3. Proxy server talks to Internet.

 

  • The connection to the load balancer from the client is picked up via the packet decoder/concentrator and meta is being generated showing the ip.dst as being the internal interface of the load balancer
  • The proxy server generates syslog that shows all the information you'd expect from a proxy server (URL, user-agent, user-id, etc). This logs shows the ip.src as being the external interface of the load balancer. The logs are being fed into the log decoder/concentrator and generating meta as such.

 

What I'm trying to accomplish is connecting these two sources of data into a single query so that I can piece together the entire traffic flow from client to internet, and I'm not sure how to do it.

 

If I search the proxy logs for say my username I can see all the sites I've visited etc, but it shows the ip.src as being the external interface to the load balancer.

Conversally if I search for my workstation IP address, I can see my packet traffic to the internal interface of the load balancer, but it doesn't show the proxy traffic.

 

I welcome any suggestions to help solve my particlaur use case.

Thanks.

Outcomes