If your users jump through proxies and load balancers before accessing to your web application, the IP field in IIS logs may show the IP address of a network device instead of client’s IP address. In this post, I will explain how to log actual client’s IP address in this scenario.
Long story short: You can use X-Forwarded-For request header to find and log the IP address of the client. This field is not logged in IIS by default so that you need to manually add it.
Steps to log actual client IP address
You can use custom logging to add X-Forwarded-For field. The way custom logging works is different based on IIS version. I am including two sets of instructions below for different versions.
The directory the custom logs are stored in:
In IIS 7/7.5/8: %SystemDrive%\inetpub\logs\AdvancedLogs
In IIS 8.5+: %SystemDrive%\inetpub\logs\LogFiles
Add X-Forwarded-For column in IIS 7/7.5/8
Open IIS Manager
On server, site or application level, double click “Advanced Logging“
In the action pane on right side, click “Enable Advanced Logging“
In the action pane, click “Edit Logging Fields“
In the new window, click “Add Field“
In “Add Logging Field” window, fill out the following fields
Field ID:X-Forwarded-For, Source type:Response Header, Source name:X-Forwarded-For
In the middle pane, select the default log definition %COMPUTERNAME%-Server. Click “Edit Log Definition“
Click “Select Logging Fields”
Select “X-Forwarded-For” from the list. Click “OK“
Click “Apply” in the actions pane
After these steps, wait for a new log file to be created. Column changes will be effective only after a new log file is created. You may need to generate some traffic to fill the current log file.
Here is the PowerShell command to add X-Forwarded-For header at the server level.
Wait for a new log file to be created in the logs folder. Column changes will be effective when a new log file is created.
Note 1: If you see a dash (“-“) instead of an IP address in X-Forwarded-For column, it means the client didn’t use any proxies or load balancers. Therefore, the client IP must be logged in the “c-ip” column
Note 2: If you see multiple IP addresses in X-Forwarded-For column, it means the client went through more than one network device. Each network device adds their own IP to the end of the value. The left-most IP address is the actual client IP address. Others belong to network devices the client go through.
X-Forwarded-For: client1, proxy1, proxy2, …
If you implemented client IP address by using ARR Helper in IIS 7 and wondering how to do the same in IIS 10, follow the steps below.
Instead of using arr_helper_x64.msi, use requestrouterhelper_x64.msi in IIS 10:
Install ARR 3.0 to a server. It doesn’t have to be an IIS server you actually use. We need ARR 3.0 installation just to get requestrouterhelper_x64.msi from its folder
Go to installation directory (%ProgramFiles%\IIS\Application Request Routing). Copy requestrouterhelper_x64.msi to your IIS server
Open a Command Prompt in that folder. Run “install requestrouterhelper_x64.msi”