9

We host our ASP.NET applications on two web servers (Server 2003, IIS 6) that reside behind a hardware load balancer. When I look at the IIS logs, the c-ip value in the IIS (v6) logs are ALWAYS the IP address of the load balancer. I noticed in the http headers, there is an X-Forwarded-For header that appears to have the requesting IP address. Is there something I can do to make IIS log this header value in the logs?

twlichty
  • 489
  • 1
  • 3
  • 9

5 Answers5

5

I don't know how long it's been around, but the Advanced Logging extension for IIS 7 and up (on Windows Server 2008 and up) offers Custom logging functionality which can be used to gather (almost) arbitrary information in IIS log files, including custom HTTP request (and response) headers like X-Forwarded-For.

I've just today set this up on our server and it works beautifully.

One thing to note: instead of editing the default Log Definition by the name of %COMPUTERNAME%-Server, just create a new one on your site or globally on your server to avoid the exception "The request is not supported." when trying to save your changes. This happens when you try to edit that default definition on the site level (thanks to this thread for the answer).

Oliver
  • 9,239
  • 9
  • 69
  • 100
  • The problem I found with IIS Advanced Logging (AL) is isn't doesn't play nice if you're using IIS as a front end web server and a JSP Servlet Container as the back-end, hooked in via AJP. AL records the container resource as the redirector DLL file, not the page the user visited, i.e. index.jsp. I turned on IIS debugging and found that AL fires first, then AJP module/filter changes the URL from, i.e. index.jsp to redirect DLL, and AL fires once more. I made AL the first module to fire but the result didn't change. I don't think IIS AL works if you're using AJP connector + Servlet Container. – user3621633 Jan 10 '17 at 17:47
3

When going through a proxy you the x-forwarded-for is what is most commonly used by load balancers. You can probably write an httpfilter which will swap this around yourself; or IIS Tracer has the ability to play with the standard files; including swapping the c-ip and x-forwarded field.

If this isnt being done for the use of a third party reporting tool; you might want to dump your logs into SQL Server where you can manipulate the columns whenever you want.

Personally i go for the latter so that i can get aggregate data for all the servers; i dump into different tables in the same db and then report from all the web servers in the farm. I also find it easier than managing 500mb or so log files all over the place.

u07ch
  • 13,324
  • 5
  • 42
  • 48
2

This is a pretty old question, but thought I'd add that IIS 8.5 has the ability to write custom HTTP headers to the IIS logs. This is a much nicer option than installing an ISAPI filter or HTTP module.

This walk through shows how to set this up through IIS Manager: http://www.iis.net/learn/get-started/whats-new-in-iis-85/enhanced-logging-for-iis85

This other SO question shows how to do it with PowerShell: Add IIS 8.5 Custom Logging Fields with Powershell

Community
  • 1
  • 1
Rob Potter
  • 948
  • 6
  • 28
2

F5 networks offers an ISAPI filter on devcentral.f5.com that will take x-forwarded-for and use it in the logs.

Beyond that, though, there's not much you can do - this is how TCP works. :)

JohnW
  • 2,982
  • 1
  • 28
  • 30
0

IIS 8.5 advanced logging will let you log the X-FORWAREDED-FOR header easily.

IIS 8.5 Advanced Logging

Doolali
  • 956
  • 9
  • 13