Log the custom X-Forwarded-For HTTP header value in IIS with this DLL
This DLL provided by Joe Pruitt allows you to log the X-Forwarded-For header value in the client IP (c-IP) IIS log field. It does not modify the source IP address or have any affect on IIS's processing of the client IP address. See Joe's original blog post for details and quite a few questions and responses about the DLL.
If you only want to record the client IP address that the LTM received, you could configure the HTTP profile with X-Forwarded-For in the 'Request Header Erase' field and 'X-Forwarded-For: IP::client_addr' in the 'Request Header Insert' field. This would mean LTM would remove any existing X-Forwarded-For headers and then insert a new one with the client IP address.
A recent customer issue came up where they were load balancing servers but we unable to get the true client address logged in their IIS logs. They had their servers fronted by a BIG-IP and when clients would make requests the address passed to the server was the internal address of the BIG-IP and not that of the client.
This is a common issue with proxies and fortunately there is a standard for forwarding client information. It is the HTTP X-Forwarded-For header which is handled by most proxies. So, I set out to find an existing ISAPI filter to replace the c-ip (client ip) log value in IIS with the contents of the X-Forwarded-For header (if it exists). I was amazed to find that I couldn't find a single instance of any open source (or even commercial) filter that would do this.
So, I dug out Visual Studio and whipped up a filter that does just that. It's very basic and contains no user configuration so all you need to do is plug it into your Web Applications list of ISAPI Filters within the IIS Administration and you're set to go.
We've released the source under the iControl End User License Agreement (available in any iControl SDK download). You can download the DLL in the Codeshare section of Devcentral. If you find a way to optimize this filter, please let me know and I'll update the sources.
After 24-hours of posting, a customer already returned some performance testing on the filter indicating that it only effected the traffic by less than 1 percent. I'm sure there are ways to optimize the memory allocation in the filter to speed this up a bit more, but I'll leave that for the community to work on.
Oh, and it should be noted that the X-Forwarded-For header isn't supported the same way across all proxy products so you'll want to make sure you test this out before using it. It is expecting the header to only contain an IP Address as it does a straight substitution on the value in the c-ip section of the log entry.