10-18-2018 01:24 PM
For SIEM purposes, it would be greatly beneficial to capture the originating _users_ IP address instead of the IP address of the host, which is not very helpful. I understand that this information is further back in the request and is not available at the web browser level. It should be fairly easy to modify the web application's server config to include this information in the event stream.
For instance, when running queries through Impala or Hive while inside of Hue, the Hue service IP is recorded instead of the IP of the user that is logged into Hue.