How to log client IP when IIS is load balanced: the X-Forwarded-For Header (XFF)

Published Nov 16 2018 07:01 AM 15.2K Views
Microsoft

First published on MSDN on Sep 05, 2018
X-Forwarded-For Header (XFF) is essential whenever we have a Proxy or LoadBalancer between client browser and IIS. This way, the proxy or load balancer will forward the client's IP to IIS, hence giving the IIS the much needed info to track the incoming user.

You need to check your Proxy or Load balancer documentation on how to enable XFF. Once it's enabled, you can follow this blog on how to add a custom logging field in IIS 8.5+ to log the XFF forwarded client-IP:

1. Launch IIS Manager UI (alternately, On an elevated command prompt, type inetmgr.exe)

2. Double-click "Logging"



3. Click "Select Fields"



4. Click "Add Field"



5. In the Add Custom Field window, type as follows



6. Click on "Apply" on the Actions pane on the top right corner

Logs with incoming client IP will be recorded in the IIS Log (default location is %SystemDrive%\inetpub\logs\LogFiles). The new log files will have an extra "_x" to it's name.

 

There is another great blog with additional info that you may wanna look into.

7 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-369809%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20log%20client%20IP%20when%20IIS%20is%20load%20balanced%3A%20the%20X-Forwarded-For%20Header%20(XFF)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369809%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186417%22%20target%3D%22_blank%22%3E%40Enamul%20Khaleque%3C%2FA%3E%26nbsp%3B%20I%20will%20continue%20investigating.%20How%20can%20i%20do%20that%3F%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20help!%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369808%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20log%20client%20IP%20when%20IIS%20is%20load%20balanced%3A%20the%20X-Forwarded-For%20Header%20(XFF)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369808%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300492%22%20target%3D%22_blank%22%3E%40daymar23%3C%2FA%3E%20There%20is%20no%20option%20to%20log%20Date%20and%20Time%20in%20local%20timezone%20when%20using%20W3C%20format%20(%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2015px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EThe%20W3C%20Extended%20Log%20File%20Format%20is%20defined%20in%20the%20W3C%20Working%20Draft%20WD-%20logfile-960323%20specification%20by%20Phillip%20M.%20Hallam-Baker%20and%20Brian%20Behlendorf.%20This%20document%20defines%20the%20Date%20and%20Time%20fields%20be%20always%20in%20GMT%2FUTC.%20This%20behavior%20is%20by%20design%3C%2FSPAN%3E).%20There%20is%20no%20corresponding%20SERVER%20VARIABLE%20that%20you%20can%20add%20as%20a%20custom%20field.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369760%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20log%20client%20IP%20when%20IIS%20is%20load%20balanced%3A%20the%20X-Forwarded-For%20Header%20(XFF)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369760%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186417%22%20target%3D%22_blank%22%3E%40Enamul%20Khaleque%3C%2FA%3E%26nbsp%3B%2C%20yes%20if%20I%20use%20the%20iis%20or%20NCSA%2C%20they%20log%20with%20server%20time.%20But%20I%20need%20the%20W3C%20format%20for%20an%20analytical%20tool.%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20I%20know%20that%20I%20can%20use%20a%20log%20parser%2C%20but%20I%20need%20the%20UTC%20and%20the%20Server%20Time%20in%20my%20log.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20know%20how%20can%20I%20do%20that%3F%20Is%20in%20the%20IIS%2010%20a%20custom%20field%20like%20a%20Server%20Variable%20where%20I%20can%20registry%20the%20server%20time%20in%20the%20IIS%20Logs%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369636%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20log%20client%20IP%20when%20IIS%20is%20load%20balanced%3A%20the%20X-Forwarded-For%20Header%20(XFF)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369636%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300492%22%20target%3D%22_blank%22%3E%40daymar23%3C%2FA%3E%26nbsp%3B%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EYes%2C%20the%20W3C%20format%20uses%20UTC%20instead%20of%20local%20time.%20If%20you%20use%20IIS%20or%20NCSA%20format%2C%20I%20believe%20it%20logs%20the%20local%20time%20but%20you%20lose%20the%20option%20of%20selecting%20fields.%20On%20the%20other%20hand%2C%20these%20UTC%20can%20easily%20be%20converted%20while%20viewing%20logs%20(%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D24659%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-family%3A%20%26amp%3Bquot%3B%20font-size%3A%2012.0pt%3B%22%3Elog%20parser%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%20can%20to%20that).%20Please%20check%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIIS-Support-Blog%2FHow-to-Convert-Date-or-Time-fields-in-IIS-log-from-UTC-to-Local%2Fba-p%2F369629%22%20target%3D%22_self%22%3Ethis%3C%2FA%3E%20link%20for%20the%20conversion.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369501%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20log%20client%20IP%20when%20IIS%20is%20load%20balanced%3A%20the%20X-Forwarded-For%20Header%20(XFF)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369501%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186417%22%20target%3D%22_blank%22%3E%40Enamul%20Khaleque%3C%2FA%3E%26nbsp%3B%20Yes%2C%20but%20the%20predefined%20Date%20-%20Time%20fields%20log%20with%20UTC%20time%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdesktop%2Fhttp%2Fw3c-logging%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdesktop%2Fhttp%2Fw3c-logging%3C%2FA%3E)%20but%20my%20server%20is%20in%20GMT-6%2C%20so%20the%20times%20are%20different.%20I%20need%20change%20the%20time%20in%20my%20logs%20from%20UTC%20to%20the%20Server%20time.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20and%20regards%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-368963%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20log%20client%20IP%20when%20IIS%20is%20load%20balanced%3A%20the%20X-Forwarded-For%20Header%20(XFF)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-368963%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300492%22%20target%3D%22_blank%22%3E%40daymar23%3C%2FA%3E%20Within%20the%20W3C%20format%2C%20there%20are%20predefined%20fields%20for%20date%20and%20time%20that%20you%20may%20check%20to%20get%20date%2Btime%20info%20logged%20in%20the%20IIS%20log.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-368357%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20log%20client%20IP%20when%20IIS%20is%20load%20balanced%3A%20the%20X-Forwarded-For%20Header%20(XFF)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-368357%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186417%22%20target%3D%22_blank%22%3E%40Enamul%20Khaleque%3C%2FA%3E%26nbsp%3B!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20know%20if%20there%20is%20a%20custom%20Field%20Name%20to%20log%20the%20server%20Date%2FTime%20in%20the%20IIS%20log%20%2C%20without%20change%20the%20IIS%20Format%20from%20W3C%20to%20IIS%3F%20This%20because%20I%20need%20the%20W3C%20format.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-287878%22%20slang%3D%22en-US%22%3EHow%20to%20log%20client%20IP%20when%20IIS%20is%20load%20balanced%3A%20the%20X-Forwarded-For%20Header%20(XFF)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287878%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Sep%2005%2C%202018%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3EX-Forwarded-For%20Header%20(XFF)%20is%20essential%20whenever%20we%20have%20a%20Proxy%20or%20LoadBalancer%20between%20client%20browser%20and%20IIS.%20This%20way%2C%20the%20proxy%20or%20load%20balancer%20will%20forward%20the%20client's%20IP%20to%20IIS%2C%20hence%20giving%20the%20IIS%20the%20much%20needed%20info%20to%20track%20the%20incoming%20user.%20%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20need%20to%20check%20your%20Proxy%20or%20Load%20balancer%20documentation%20on%20how%20to%20enable%20XFF.%20Once%20it's%20enabled%2C%20you%20can%20follow%20this%20blog%20on%20how%20to%20add%20a%20custom%20logging%20field%20in%20IIS%208.5%2B%20to%20log%20the%20XFF%20forwarded%20client-IP%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E1.%26nbsp%3BLaunch%20IIS%20Manager%20UI%20(alternately%2C%20On%20an%20elevated%20command%20prompt%2C%20type%20inetmgr.exe)%20%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Double-click%20%22Logging%22%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20472px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60063i53C5FBF642FB25AF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20Click%20%22Select%20Fields%22%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20444px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60064i068340C6FA05EF4F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CBR%20%2F%3E4.%20Click%20%22Add%20Field%22%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20388px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60065i947D1E35B17F4F70%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CBR%20%2F%3E5.%20In%20the%20Add%20Custom%20Field%20window%2C%20type%20as%20follows%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20490px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F60066iD2641256D36A2D65%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3CBR%20%2F%3E6.%20Click%20on%20%22Apply%22%20on%20the%20Actions%20pane%20on%20the%20top%20right%20corner%20%3CBR%20%2F%3E%3CBR%20%2F%3ELogs%20with%20incoming%20client%20IP%20will%20be%20recorded%20in%20the%20IIS%20Log%20(default%20location%20is%20%25SystemDrive%25%5Cinetpub%5Clogs%5CLogFiles).%20The%20new%20log%20files%20will%20have%20an%20extra%20%22_x%22%20to%20it's%20name.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20another%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIIS-Support-Blog%2FHow-to-use-X-Forwarded-For-header-to-log-actual-client-IP%2Fba-p%2F873115%22%20target%3D%22_self%22%3Egreat%20blog%3C%2FA%3E%20with%20additional%20info%20that%20you%20may%20wanna%20look%20into.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-287878%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20MSDN%20on%20Sep%2005%2C%202018%20X-Forwarded-For%20Header%20(XFF)%20is%20essential%20whenever%20we%20have%20a%20Proxy%20or%20LoadBalancer%20between%20client%20browser%20and%20IIS.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-287878%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eclient%20ip%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIIS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eiis%20log%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eload%20balance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eproxy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ex%20forwarded%20for%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Exff%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Sep 24 2019 11:29 AM
Updated by: