TWEAKING IIS LOGS USING ADVANCED LOGGING


Scenario

Recently I was working with one of my customers where he wanted to tweak IIS log field values. The customer was having a load balanced environment consisting of 2 web servers having a F5 load balancer in the front. The requirement was to log the original client IP under “c-ip” field instead of “X-FORWARDED-FOR” in IIS logs. The reason being he was using some kind of reporting tool which parses IIS logs and can only understand “c-ip” not “X-FORWARDED-FOR” field.

Troubleshooting

The scenario was quite challenging as we cannot achieve the above requirement through the existing Logging module in IIS. We can add a custom field through logging module but the “Field Name” should not conflict with any of the pre-defined fields of IIS log. For example, if I try to add a custom field having ‘Source Type’ as “Request Header” and ‘Source’ as “X-FORWARDED-FOR”, I cannot put c-ip as the ‘Field Name’ because it will throw the below conflict error saying ‘c-ip’ is a standard field which is already existing.

Conflict in Advanced Logging Module

Solution

There are two solutions to this problem, one being creating custom ISAPI filter or HTTP module through which we can replace “c-ip” field value with that present in “X-FORWARDED-FOR” request header which is being passed from the F5 load balancer in each and every client request.

The second option would be to use “Advanced Logging” which is an out-of-band module in IIS. I have used this option as it is less time consuming and easier method to implement as compared to the previous option. Below steps are taken to implement the Advanced Logging to satisfy the above customer’s requirement:

           IIS root node    Advanced Logging Module

  • Click on “Enable Advanced Logging” option present on the Actions pane on the right.

           Enable Advanced Logging

  • Click on Edit Logging Fields… option and click on Add Field… button on the pop-up window.
  • Fill up the following fields with the values as mentioned below:
    • Field ID : <Any Friendly Name>
    • Category : <Blank>
    • Source type : Request Header
    • Source name : X-FORWARDED-FOR
    • Log header name : c-ip

           Advanced Logging Fields

  • Double click on the default Log definition present under the Advanced Logging module and click on Select Fields… button.

           Log Definition

  • Select the custom field which you have created in step 5 and click OK.

           Custom Field

  • Now try to access the website from any client machine and check the log created by Advanced Logging module in the default location: C:\inetpub\logs\AdvancedLogs (this location can be configured). You will find that the original client IP will be logged under c-ip instead of X-FORWARDED-FOR field in the log in a load balanced environment.
Comments (3)

  1. Jamie says:

    Is there advanced logging for server 2016? The old install is not compatible…

    1. Advanced Logging module is no longer supported from Windows Server 2012 R2. You can write an HTTP module to handle it during request processing. If you don’t want to write one yourself, there are a couple of options out there that can do the job for you:

      1. ARRHelper: http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx
      2. A 3rd party module, written by one of F5’s architects: https://devcentral.f5.com/blogs/us/x-forwarded-for-http-module-for-iis7-source-included#.UdrYQ6TD9mM

      Hope that answers your question 🙂

Skip to main content