Tweaking IIS Logs using Advanced Logging
Scenario
Recently I was working with one of my customers where he wanted to tweak IIS log field values. The customer was having a load balanced environment consisting of 2 web servers having a F5 load balancer in the front. The requirement was to log the original client IP under “c-ip” field instead of “X-FORWARDED-FOR” in IIS logs. The reason being he was using some kind of reporting tool which parses IIS logs and can only understand “c-ip” not “X-FORWARDED-FOR” field.
Troubleshooting
The scenario was quite challenging as we cannot achieve the above requirement through the existing Logging module in IIS. We can add a custom field through logging module but the “Field Name” should not conflict with any of the pre-defined fields of IIS log. For example, if I try to add a custom field having ‘Source Type’ as “Request Header” and ‘Source’ as “X-FORWARDED-FOR”, I cannot put c-ip as the ‘Field Name’ because it will throw the below conflict error saying ‘c-ip’ is a standard field which is already existing.
Solution
There are two solutions to this problem, one being creating custom ISAPI filter or HTTP module through which we can replace “c-ip” field value with that present in “X-FORWARDED-FOR” request header which is being passed from the F5 load balancer in each and every client request.
The second option would be to use “Advanced Logging” which is an out-of-band module in IIS. I have used this option as it is less time consuming and easier method to implement as compared to the previous option. Below steps are taken to implement the Advanced Logging to satisfy the above customer’s requirement:
- Download the Advanced Logging module from the URL: https://www.iis.net/downloads/microsoft/advanced-logging and install it in the IIS server.
- Go to the root node or server level and double click on the Advanced Logging module as shown below:
- Click on “Enable Advanced Logging” option present on the Actions pane on the right.
- Click on Edit Logging Fields… option and click on Add Field… button on the pop-up window.
- Fill up the following fields with the values as mentioned below:
- Field ID : <Any Friendly Name>
- Category : <Blank>
- Source type : Request Header
- Source name : X-FORWARDED-FOR
- Log header name : c-ip
- Double click on the default Log definition present under the Advanced Logging module and click on Select Fields… button.
- Select the custom field which you have created in step 5 and click OK.
- Now try to access the website from any client machine and check the log created by Advanced Logging module in the default location: C:\inetpub\logs\AdvancedLogs (this location can be configured). You will find that the original client IP will be logged under c-ip instead of X-FORWARDED-FOR field in the log in a load balanced environment.
Comments
- Anonymous
December 05, 2016
Nice, it´s already exists a workaround:https://devcentral.f5.com/articles/x-forwarded-for-http-module-for-iis7-source-included - Anonymous
December 05, 2016
Is there advanced logging for server 2016? The old install is not compatible...- Anonymous
December 07, 2016
Advanced Logging module is no longer supported from Windows Server 2012 R2. You can write an HTTP module to handle it during request processing. If you don’t want to write one yourself, there are a couple of options out there that can do the job for you:1. ARRHelper: http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx2. A 3rd party module, written by one of F5’s architects: https://devcentral.f5.com/blogs/us/x-forwarded-for-http-module-for-iis7-source-included#.UdrYQ6TD9mMHope that answers your question :)
- Anonymous