smp wrote a tech tip that might work. You'll need to edit syslog though.
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084377/Writing-to-and-rotating-custom-log-files.aspx
Simply have the iRule check to see whether X-Forwarded-For exists and if it does, log its value but start with a string around which you can filter. I've edited his examples a bit, hopefully this will work. I don't have an environment in which to test this so I'd strongly recommend testing it in a lab environment or running through it with support.
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
log local0. "X-Forwarded-For was [HTTP::header X-Forwarded-For]" }
}
Then you'll need to edit your syslog file as in the example.
Using smp's example:
tmsh modify sys syslog include '"
filter f_local0 {
facility(local0) and not match(\": \");
};
filter f_local0_customwa {
facility(local0) and match(\": \");
};
destination d_customwa {
file(\"/var/log/wa\" create_dirs(yes));
};
log {
source(local);
filter(f_local0_customlog);
destination(d_customlog);
};
"'
save the configuration change:
tmsh save / sys config
and restarting the syslog-ng service:
tmsh restart sys service syslog-ng