Date Posted:05-01-2016

By default, apache logs the IP address where the request comes from. Consider a scenario where webserver(in our post, we deals with apache) behind load balancer either EC2 load balancer or haproxy load balancer,etc., where the request will come to load balancer and loadbalancer transfer the request to webserver.

If you view the apache access log, we will be only seeing private IP address of a loadbalancer something similar below.


172.31.xx.xx – – [04/Jan/2017:13:35:00 +0000] “GET / HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36”
172.31.xx.xx – – [04/Jan/2017:13:35:00 +0000] “GET / HTTP/1.1” 301 588 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36”


 

It will be hard to find out where the origin IP address comes from incase if the logs has private IP address. Here comes the post explain on how to log remote IP address on access.log

Assumption:
  1. Webserver – Apache 2.4
  2. Operating System – Ubuntu. Though this post deals with ubuntu. You can still refer this post for centos as well.
  3. Installation path:/etc/apache2
Implementation:

In a webserver, we may have a single domain or multiple domains. You can use the same procedure incase if  we want to enable custom log for each domains.

Lets find how many LogFormat available on your webserver.

grep LogFormat /etc/apache2/apache2.conf

LogFormat “%v:%p %h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%h %l %u %t \”%r\” %>s %O” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent

In the above output, the highlighted are various format logs available that we can use.

Now, we have to findout which logformat the domain is using. We assumes that the domain configuration /etc/apache2/sites-enabled/000-default.conf.

grep CustomLog /etc/apache2/sites-enabled/000-default.conf

CustomLog ${APACHE_LOG_DIR}/access.log combined

In the above example, combined  log is used. So, in the access.log file will be in format of “%h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” as mentioned above.

Now, we are going to create a new logformat and add it for domain configuration. Open the file /etc/apache2/apache2.conf and append the following line on the Logformat section

vi /etc/apache2/apache2.conf

LogFormat “%{X-Forwarded-For}i %h %l %u %t \”%r\” %s %b \”%{Referer}i\” \”%{User-agent}i\”” combined-forwarded

Note down the variable(combined-forwarded) that you are using while setting up new logformat. We will be using this variable while setting up custom log.

%{X-Forwarded-For} – This is a custom HTTP request header was developed by the squid development team, the X-Forwarded-For header read the IP address and pass it along upstream in the http request.

Open the domain configuration and modify the custom log section to use newly created logformat.

vi /etc/apache2/sites-enabled/000-default.conf

 CustomLog ${APACHE_LOG_DIR}/access.log combined-forwarded

Check for any syntax error and make sure it reports Syntax Ok

apachectl -t

Restart webserver for the changes come into effect.

systemctl restart apache2

Access the domain or IP address in the browser(http://IPADDRESS). Check the logs on the server. We will get the origin IP address as well load balancer IP address.

tail -f /var/log/apache2/access.log


xx.xx.xx.xx 172.31.xx.xx – – [05/Jan/2017:06:52:50 +0000] “GET / HTTP/1.1″ 200 38439 ”


 

Leave a Reply