7:00 AM
El DiPablo
Well, the other day I was asked to identify certain traffic by IP address, and I couldn't. The logs only showed that of Incapsula. I asked Incapsula for their logs so I could correlate, but they only keep security related logs due to PCI compliance, which is understandable. That meant that I needed a way to log X-Forwarded-For header information going forward.
If you are not familiar with X-Forwarded-For, according to Wikipedia:
The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.Makes sense right? Well, the good news is that both Apache and IIS (8.5 and above) support logging X-Forwarded-For natively with some slight modifications.
For IIS:
- In IIS Manager, click the server name in the left panel to go to the Home screen
- Click on Logging
- Click on the Select Fields button
- Click on the Add Field button
- In the Field Name box enter x-forwarded-for
- Leave Source Type set to Request Header
- In the Source box enter X-Forwarded-For
- Click OK
- Click OK again
- In the upper right of the Logging page click Apply
- Restart IIS
Your logs will now be appended with _x to show that the logs contain custom fields. You can also follow this same process at the site level if you want. The above example makes the change global for all sites on the server.
For Apache (In Ubuntu):
- Edit /etc/apache2/apache2.conf
- Find the line that says
LogFormat “%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - Change it to
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - Restart Apache
Did this post help you? Let us know in the comments!
