I have recently discovered something that puzzled me: doing the request from a client to a Cloudfront collector and to a Scala Stream collector would result in different user_ipaddress fields after enriching the events.
I checked the contents of both the Cloudfront log line and the Thrift event and found that both had the x-forwarded-for field/header set.
After digging into the source code, I think I found the reason. The ThriftLoader used to load events from the Scala Stream collector uses the x-forwarded-for header to determine the user’s IP, but the CloudfrontLoader ignores the x-forwarded-for field from the log line.
Am I missing something? Would you accept PRs to make CloudfrontLoader use the x-forwarded-for field?