AWStats log format for tomcat access logs which has X-Forwarded-For

Question

What should be the AWStats log format for below tomcat access logs ?

I tried these formats but the external IP addresses are not coming into AWStats reports.

LogFormat="%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot %referer %other %other"

LogFormat="%other %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot %host_proxy"

tomcat valve settings:

pattern="%h %l %{USER_ID}s %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"  "X-Forwarded-For=%{X-Forwarded-For}i"  "JSESSIONID=%{JSESSIONID}c" %D"

Log entry:

127.0.0.1 - - [04/Nov/2013:13:39:55 +0000] "GET / HTTP/1.1" 200 12345 "https://www.google.com/url?some_url" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36"  "X-Forwarded-For=real_ip, proxy_server_internal_ip"  "JSESSIONID=-" 12345

Answer 1

$ echo $STR
127.0.0.1 - - [10/Nov/2013:04:14:03 +0000] "GET /XXXX/js/service.js HTTP/1.1" 200 656 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" "X-Forwarded-For=75.67.17.69, 10.2.0.121" "JSESSIONID=YYYY" 2

$ echo $STR | perl -pe 's/X\-Forwarded\-For=([\d\.]+).*?\"/X-Forwarded-For=$1"/g'
127.0.0.1 - - [10/Nov/2013:04:14:03 +0000] "GET /XXXX/js/service.js HTTP/1.1" 200 656 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" "X-Forwarded-For=75.67.17.69" "JSESSIONID=YYYY" 2

Answer 2

Thanks for the help.

Did one more trick, awstat wants host_proxy logs as 75.67.17.69, 10.2.0.121, so changed your perl command as below which changes "X-Forwarded-For=75.67.17.69, 10.2.0.121" to "75.67.17.69, 10.2.0.121" without quotes and extra spaces removed.

perl -pe 's/ "X-Forwarded-For=([\d.,\s]+).*?" /$1/g'

After the changes the logs are provided to awstat for processing.