Please bear with me if this has been addressed before, but I haven’t been able to find it. I realize that you can make the eve.json output rewrite the source IP with the XFF (X-Forwarded-For) IP. In the old days before unified2 was deprecated, I used to do this for unified2 as well, and that had barnyard2 syslog these over to our SIEM. Of course, unified2 support is gone, and now I’m using the built-in syslog functionality in Suricata. Is there any way to make Suri rewrite the source IP with XFF IP in the syslog messages? I tried just copying the xff portion of suricata.yaml down to the syslog area, but it didn’t seem to have any effect. Thanks!