If your users jump through proxies and load balancers before accessing to your web application, the IP field in IIS logs may show the IP address of a network device instead of client’s IP address. In this post, I will explain how to log actual client’s IP address in this scenario.
Long story short: You can use X-Forwarded-For request header to find and log the IP address of the client. This field is not logged in IIS by default so that you need to manually add it.
You can use custom logging to add X-Forwarded-For field. The way custom logging works is different based on IIS version. I am including two sets of instructions below for different versions.
The directory the custom logs are stored in:
%SystemDrive%\inetpub\logs\AdvancedLogs
%SystemDrive%\inetpub\logs\LogFiles
%COMPUTERNAME%-Server
. Click “Edit Log Definition“After these steps, wait for a new log file to be created. Column changes will be effective only after a new log file is created. You may need to generate some traffic to fill the current log file.
Here is the PowerShell command to add X-Forwarded-For header at the server level.
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.applicationHost/sites/siteDefaults/logFile/customFields" -name "." -value @{logFieldName='X-Forwarded-For';sourceName='X-Forwarded-For';sourceType='RequestHeader'}
Custom logging became easier to configure with the IIS 8.5. Follow the steps below to add X-Forwarded-For column into IIS logs.
Note: Check out this post for more screenshots.
Wait for a new log file to be created in the logs folder. Column changes will be effective when a new log file is created.
Note 1: If you see a dash (“-“) instead of an IP address in X-Forwarded-For column, it means the client didn’t use any proxies or load balancers. Therefore, the client IP must be logged in the “c-ip” column
Note 2: If you see multiple IP addresses in X-Forwarded-For column, it means the client went through more than one network device. Each network device adds their own IP to the end of the value. The left-most IP address is the actual client IP address. Others belong to network devices the client go through.
X-Forwarded-For: client1, proxy1, proxy2, …
If you implemented client IP address by using ARR Helper in IIS 7 and wondering how to do the same in IIS 10, follow the steps below.
Instead of using arr_helper_x64.msi, use requestrouterhelper_x64.msi in IIS 10:
%ProgramFiles%\IIS\Application Request Routing
). Copy requestrouterhelper_x64.msi to your IIS serverYou must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.