How to pass client IP onto access logs for TCP (port:22) connections?

Question

We have bitbucket installed and we would want to capture client ip address for every ssh git operation. We were able to capture client IP for http git operation. We have apache httpd configured and we added the following configuration to make it work (under "IfModule log_config_module" section).

RemoteIPHeader x-client-ip
RemoteIPInternalProxy

LogFormat "%a %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-agent}i\" %% %T %D" combined

LogFormat "%a %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\" %% %T %D SSL: %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined-ssl

By this, we're able to capture client IP for all git operations of http. But, we're not able to get the client IP for SSH Git operations. Currently, it is capturing LTM IP in the access logs.

kvshreyas8_3415 · Answer

Tried the following, but they do not work for our architecture.¬†
https://devcentral.f5.com/s/feed/0D51T00006j2herSAA¬†
https://devcentral.f5.com/s/feed/0D51T00006i7VPnSAM¬†
Reasons:
We cannot enable the F5s remotely to send syslog to each server with this requirement.¬†
Disabling automap will cause the connection to not work at all as our architecture requires SNATTing for routing to work.¬†

kai_wilke · Answer

Hi kvshreyas8,&nbsp;
the SSH protocol does not provide such a "X-Forwarded-For" or "X-Client-IP" feature like the HTTP protocol does. &nbsp;
The only chance I currently see to still meet your requirements, is to inject the original Client-IP into the initial cleartext Client/Version exchange of the SSH conversation (its the first TCP packet send by the client to the server). &nbsp;
The outcome of this injection technique would then still depend on the logging abilities of your SSH server. If the SSH server is able to log the SSH-User-Agent/Version string passed during SSH negotiation, then you could somehow parse the original client IP out of those log lines...&nbsp;
Cheers, Kai&nbsp;

Forum Discussion

How to pass client IP onto access logs for TCP (port:22) connections?

2 Replies

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Best Practice guide for enabling Attack signature In BIG-IP ASM

Related Content

Log client to vip connections

Limit Connections From Client

Connect to the F5 VPN with BIG-IP Edge Client

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

F5 Distributed Cloud - Traffic Steering based on Client IP Address

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS