%3CLINGO-SUB%20id%3D%22lingo-sub-873115%22%20slang%3D%22en-US%22%3EHow%20to%20use%20X-Forwarded-For%20header%20to%20log%20actual%20client%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-873115%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20your%20users%20jump%20through%20proxies%20and%20load%20balancers%20before%20accessing%20to%20your%20web%20application%2C%20the%20IP%20field%20in%20IIS%20logs%20may%20show%20the%20IP%20address%20of%20a%20network%20device%20instead%20of%20client%E2%80%99s%20IP%20address.%20In%20this%20post%2C%20I%20will%20explain%20how%20to%20log%20actual%20client%E2%80%99s%20IP%20address%20in%20this%20scenario.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELong%20story%20short%3A%20You%20can%20use%26nbsp%3BX-Forwarded-For%26nbsp%3Brequest%20header%20to%20find%20and%20log%20the%20IP%20address%20of%20the%20client.%20This%20field%20is%20not%20logged%20in%20IIS%20by%20default%20so%20that%20you%20need%20to%20manually%20add%20it.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1822911104%22%20id%3D%22toc-hId-1822911104%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--729245857%22%20id%3D%22toc-hId--729245857%22%3ESteps%20to%20log%20actual%20client%20IP%20address%3C%2FH2%3E%0A%3CP%3EYou%20can%20use%20custom%20logging%20to%20add%20X-Forwarded-For%20field.%20The%20way%20custom%20logging%20works%20is%20different%20based%20on%20IIS%20version.%20I%20am%20including%20two%20sets%20of%20instructions%20below%20for%20different%20versions.%3C%2FP%3E%0A%3CP%3EThe%20directory%20the%20custom%20logs%20are%20stored%20in%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIn%20IIS%207%2F7.5%2F8%3A%3CCODE%3E%25%3CEM%3ESystemDrive%3C%2FEM%3E%25%5Cinetpub%5Clogs%5CAdvancedLogs%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EIn%20IIS%208.5%2B%3A%20%3CCODE%3E%25%3CEM%3ESystemDrive%3C%2FEM%3E%25%5Cinetpub%5Clogs%5CLogFiles%3C%2FCODE%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId-817050973%22%20id%3D%22toc-hId-817050973%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1735105988%22%20id%3D%22toc-hId--1735105988%22%3EAdd%20X-Forwarded-For%20column%20in%20IIS%207%2F7.5%2F8%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%3EOpen%20IIS%20Manager%3C%2FLI%3E%0A%3CLI%3EOn%20server%2C%20site%20or%20application%20level%2C%20double%20click%20%E2%80%9C%3CSTRONG%3EAdvanced%20Logging%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%3EIn%20the%20action%20pane%20on%20right%20side%2C%20click%20%E2%80%9C%3CSTRONG%3EEnable%20Advanced%20Logging%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%3EIn%20the%20action%20pane%2C%20click%20%E2%80%9C%3CSTRONG%3EEdit%20Logging%20Fields%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%3EIn%20the%20new%20window%2C%20click%20%E2%80%9C%3CSTRONG%3EAdd%20Field%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%3EIn%20%E2%80%9C%3CSTRONG%3EAdd%20Logging%20Field%3C%2FSTRONG%3E%E2%80%9D%20window%2C%20fill%20out%20the%20following%20fields%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EField%20ID%3A%3C%2FSTRONG%3E%26nbsp%3B%3CEM%3EX-Forwarded-For%3C%2FEM%3E%2C%26nbsp%3B%3CSTRONG%3ESource%20type%3A%3C%2FSTRONG%3E%26nbsp%3B%3CEM%3EResponse%20Header%3C%2FEM%3E%2C%26nbsp%3B%3CSTRONG%3ESource%20name%3A%3C%2FSTRONG%3E%26nbsp%3B%3CEM%3EX-Forwarded-For%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CLI%3EClick%20%E2%80%9C%3CSTRONG%3EOK%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%3EIn%20the%20middle%20pane%2C%20select%20the%20default%20log%20definition%20%3CCODE%3E%3CEM%3E%25COMPUTERNAME%25-Server%3C%2FEM%3E%3C%2FCODE%3E.%20Click%20%E2%80%9C%3CSTRONG%3EEdit%20Log%20Definition%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%3EClick%20%E2%80%9C%3CSTRONG%3ESelect%20Logging%20Fields%3C%2FSTRONG%3E%E2%80%9D%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3ESelect%20%E2%80%9C%3CSTRONG%3EX-Forwarded-For%3C%2FSTRONG%3E%E2%80%9D%20from%20the%20list.%20Click%20%E2%80%9COK%E2%80%9C%3C%2FLI%3E%0A%3CLI%3EClick%20%E2%80%9C%3CSTRONG%3EApply%3C%2FSTRONG%3E%E2%80%9D%20in%20the%20actions%20pane%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EAfter%20these%20steps%2C%20wait%20for%20a%20new%20log%20file%20to%20be%20created.%20Column%20changes%20will%20be%20effective%20only%20after%20a%20new%20log%20file%20is%20created.%20You%20may%20need%20to%20generate%20some%20traffic%20to%20fill%20the%20current%20log%20file.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-7704347%22%20id%3D%22toc-hId-7704347%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1750514682%22%20id%3D%22toc-hId-1750514682%22%3EPowershell%3C%2FH3%3E%0A%3CP%3EHere%20is%20the%20PowerShell%20command%20to%20add%20X-Forwarded-For%20header%20at%20the%20server%20level.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EAdd-WebConfigurationProperty%20-pspath%20'MACHINE%2FWEBROOT%2FAPPHOST'%20%20-filter%20%22system.applicationHost%2Fsites%2FsiteDefaults%2FlogFile%2FcustomFields%22%20-name%20%22.%22%20-value%20%40%7BlogFieldName%3D'X-Forwarded-For'%3BsourceName%3D'X-Forwarded-For'%3BsourceType%3D'RequestHeader'%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--801642279%22%20id%3D%22toc-hId--801642279%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-941168056%22%20id%3D%22toc-hId-941168056%22%3EAdd%20X-Forwarded-For%20column%20in%20IIS%208.5%20and%20newer%20versions%3C%2FH3%3E%0A%3CP%3ECustom%20logging%20became%20easier%20to%20configure%20with%20the%20IIS%208.5.%20Follow%20the%20steps%20below%20to%20add%20X-Forwarded-For%20column%20into%20IIS%20logs.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EOpen%20IIS%20Manager%3C%2FLI%3E%0A%3CLI%3EOn%20server%2C%20site%20or%20application%20level%2C%20double%20click%20%E2%80%9C%3CSTRONG%3ELogging%3C%2FSTRONG%3E%E2%80%9D%3C%2FLI%3E%0A%3CLI%3EClick%20%E2%80%9C%3CSTRONG%3ESelect%20Fields%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%3EIn%20%E2%80%9C%3CSTRONG%3EW3C%20Logging%20Fields%3C%2FSTRONG%3E%E2%80%9D%20window%2C%20click%20%E2%80%9C%3CSTRONG%3EAdd%20Field%3C%2FSTRONG%3E%E2%80%9C%3C%2FLI%3E%0A%3CLI%3EIn%20the%20%E2%80%9C%3CSTRONG%3EAdd%20Custom%20Field%3C%2FSTRONG%3E%E2%80%9D%20window%2C%20fill%20out%20the%20following%20fields%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EField%20Name%3A%3C%2FSTRONG%3E%26nbsp%3B%3CEM%3EX-Forwarded-For%3C%2FEM%3E%2C%26nbsp%3B%3CSTRONG%3ESource%20type%3A%26nbsp%3B%3C%2FSTRONG%3E%3CEM%3ERequest%20Header%3C%2FEM%3E%2C%26nbsp%3B%3CSTRONG%3ESource%3A%3C%2FSTRONG%3E%26nbsp%3B%3CEM%3EX-Forwarded-For%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CLI%3EClick%20%E2%80%9C%3CSTRONG%3EOK%3C%2FSTRONG%3E%E2%80%9D%20in%20both%20open%20windows%3C%2FLI%3E%0A%3CLI%3EClick%20%E2%80%9C%3CSTRONG%3EApply%3C%2FSTRONG%3E%E2%80%9D%20in%20the%20actions%20pane%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3ENote%3A%20Check%20out%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIIS-Support-Blog%2FHow-to-log-client-IP-when-IIS-is-load-balanced-the-X-Forwarded%2Fba-p%2F287878%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ethis%20post%3C%2FA%3E%20for%20more%20screenshots.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20885px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F133344iA29EB7B9DAF89C16%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22IIS-custom-field-1.png%22%20title%3D%22IIS-custom-field-1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EWait%20for%20a%20new%20log%20file%20to%20be%20created%20in%20the%20logs%20folder.%20Column%20changes%20will%20be%20effective%20when%20a%20new%20log%20file%20is%20created.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%201%3A%26nbsp%3B%3C%2FSTRONG%3EIf%20you%20see%20a%20dash%20(%E2%80%9C-%E2%80%9C)%20instead%20of%20an%20IP%20address%20in%26nbsp%3BX-Forwarded-For%26nbsp%3Bcolumn%2C%20it%20means%20the%20client%20didn%E2%80%99t%20use%20any%20proxies%20or%20load%20balancers.%20Therefore%2C%20the%20client%20IP%20must%20be%20logged%20in%20the%20%E2%80%9Cc-ip%E2%80%9D%20column%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%202%3A%3C%2FSTRONG%3E%26nbsp%3BIf%20you%20see%20multiple%20IP%20addresses%20in%26nbsp%3BX-Forwarded-For%26nbsp%3Bcolumn%2C%20it%20means%20the%20client%20went%20through%20more%20than%20one%20network%20device.%20Each%20network%20device%20adds%20their%20own%20IP%20to%20the%20end%20of%20the%20value.%20The%20left-most%20IP%20address%20is%20the%20actual%20client%20IP%20address.%20Others%20belong%20to%20network%20devices%20the%20client%20go%20through.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EX-Forwarded-For%3A%20client1%2C%20proxy1%2C%20proxy2%2C%20%E2%80%A6%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1610988905%22%20id%3D%22toc-hId--1610988905%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-131821430%22%20id%3D%22toc-hId-131821430%22%3EARR%20Helper%3C%2FH3%3E%0A%3CP%3EIf%20you%20implemented%20client%20IP%20address%20by%20using%20ARR%20Helper%20in%20IIS%207%20and%20wondering%20how%20to%20do%20the%20same%20in%20IIS%2010%2C%20follow%20the%20steps%20below.%3C%2FP%3E%0A%3CP%3EInstead%20of%20using%26nbsp%3B%3CSTRONG%3Earr_helper_x64.msi%3C%2FSTRONG%3E%2C%20use%26nbsp%3B%3CSTRONG%3Erequestrouterhelper_x64.msi%3C%2FSTRONG%3E%26nbsp%3Bin%20IIS%2010%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EInstall%20ARR%203.0%20to%20a%20server.%20It%20doesn%E2%80%99t%20have%20to%20be%20an%20IIS%20server%20you%20actually%20use.%20We%20need%20ARR%203.0%20installation%20just%20to%20get%20requestrouterhelper_x64.msi%20from%20its%20folder%3C%2FLI%3E%0A%3CLI%3EGo%20to%20installation%20directory%20(%3CCODE%3E%25ProgramFiles%25%5CIIS%5CApplication%20Request%20Routing%3C%2FCODE%3E).%20Copy%20requestrouterhelper_x64.msi%20to%20your%20IIS%20server%3C%2FLI%3E%0A%3CLI%3EOpen%20a%20Command%20Prompt%20in%20that%20folder.%20Run%20%E2%80%9Cinstall%20requestrouterhelper_x64.msi%E2%80%9D%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH4%20id%3D%22toc-hId--637480883%22%20id%3D%22toc-hId--637480883%22%3E%26nbsp%3B%3C%2FH4%3E%0A%3CH4%20id%3D%22toc-hId-1105329452%22%20id%3D%22toc-hId-1105329452%22%3EReferences%3A%3C%2FH4%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fextensions%2Fadvanced-logging-module%2Fadvanced-logging-for-iis-custom-logging%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAdvanced%20Logging%20for%20IIS%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fget-started%2Fwhats-new-in-iis-85%2Fenhanced-logging-for-iis85%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEnhanced%20Logging%20for%20IIS%208.5%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc7239%23page-6%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERFC%207239%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-873115%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EIf%20your%20users%20jump%20through%20proxies%20and%20load%20balancers%20before%20accessing%20to%20your%20web%20application%2C%20the%20IP%20field%20in%20IIS%20logs%20may%20show%20the%20IP%20address%20of%20a%20network%20device%20instead%20of%20client%E2%80%99s%20IP%20address.%20In%20this%20post%2C%20I%20will%20explain%20how%20to%20log%20actual%20client%E2%80%99s%20IP%20address%20in%20this%20scenario.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

If your users jump through proxies and load balancers before accessing to your web application, the IP field in IIS logs may show the IP address of a network device instead of client’s IP address. In this post, I will explain how to log actual client’s IP address in this scenario.

 

Long story short: You can use X-Forwarded-For request header to find and log the IP address of the client. This field is not logged in IIS by default so that you need to manually add it.

 

Steps to log actual client IP address

You can use custom logging to add X-Forwarded-For field. The way custom logging works is different based on IIS version. I am including two sets of instructions below for different versions.

The directory the custom logs are stored in:

  • In IIS 7/7.5/8: %SystemDrive%\inetpub\logs\AdvancedLogs
  • In IIS 8.5+: %SystemDrive%\inetpub\logs\LogFiles

 

Add X-Forwarded-For column in IIS 7/7.5/8

  1. Open IIS Manager
  2. On server, site or application level, double click “Advanced Logging
  3. In the action pane on right side, click “Enable Advanced Logging
  4. In the action pane, click “Edit Logging Fields
  5. In the new window, click “Add Field
  6. In “Add Logging Field” window, fill out the following fields
    • Field ID: X-Forwarded-ForSource type: Response HeaderSource name: X-Forwarded-For
  7. Click “OK
  8. In the middle pane, select the default log definition %COMPUTERNAME%-Server. Click “Edit Log Definition
  9. Click “Select Logging Fields” 
  10. Select “X-Forwarded-For” from the list. Click “OK
  11. Click “Apply” in the actions pane

After these steps, wait for a new log file to be created. Column changes will be effective only after a new log file is created. You may need to generate some traffic to fill the current log file.

 

Powershell

Here is the PowerShell command to add X-Forwarded-For header at the server level.

 

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.applicationHost/sites/siteDefaults/logFile/customFields" -name "." -value @{logFieldName='X-Forwarded-For';sourceName='X-Forwarded-For';sourceType='RequestHeader'}

 

 

Add X-Forwarded-For column in IIS 8.5 and newer versions

Custom logging became easier to configure with the IIS 8.5. Follow the steps below to add X-Forwarded-For column into IIS logs.

  1. Open IIS Manager
  2. On server, site or application level, double click “Logging
  3. Click “Select Fields
  4. In “W3C Logging Fields” window, click “Add Field
  5. In the “Add Custom Field” window, fill out the following fields
    • Field Name: X-Forwarded-ForSource type: Request HeaderSource: X-Forwarded-For
  6. Click “OK” in both open windows
  7. Click “Apply” in the actions pane
 

Note: Check out this post for more screenshots. 

 

IIS-custom-field-1.png

Wait for a new log file to be created in the logs folder. Column changes will be effective when a new log file is created.

 

Note 1: If you see a dash (“-“) instead of an IP address in X-Forwarded-For column, it means the client didn’t use any proxies or load balancers. Therefore, the client IP must be logged in the “c-ip” column

 

Note 2: If you see multiple IP addresses in X-Forwarded-For column, it means the client went through more than one network device. Each network device adds their own IP to the end of the value. The left-most IP address is the actual client IP address. Others belong to network devices the client go through. 

 

X-Forwarded-For: client1, proxy1, proxy2, …

 

ARR Helper

If you implemented client IP address by using ARR Helper in IIS 7 and wondering how to do the same in IIS 10, follow the steps below.

Instead of using arr_helper_x64.msi, use requestrouterhelper_x64.msi in IIS 10:

  1. Install ARR 3.0 to a server. It doesn’t have to be an IIS server you actually use. We need ARR 3.0 installation just to get requestrouterhelper_x64.msi from its folder
  2. Go to installation directory (%ProgramFiles%\IIS\Application Request Routing). Copy requestrouterhelper_x64.msi to your IIS server
  3. Open a Command Prompt in that folder. Run “install requestrouterhelper_x64.msi”

 

References: