How to log actual client IP address in IIS?

When users go through several proxies before reaching out your web server, the IP field in IIS may show only a proxy IP address instead of the actual client IP address. In this post, we will see how to find the actual client IP address in this scenario.

Long story short, you can use X-Forwarded-For request header to find the IP address of the client who sent requests. This field is not logged in IIS by default. Therefore, you need to configure custom logging in your web server.

Configure IIS to log actual client IP address

The way custom logging (also called advanced logging or enhanced logging) is configured is different based on IIS version. See the corresponding instructions below.

Looking for a list of IIS versions? Check this post out.

Which directory the custom logs are stored in?

In IIS 7/7.5/8: %SystemDrive%\inetpub\logs\AdvancedLogs
In IIS 8.5+: %SystemDrive%\inetpub\logs\LogFiles

Add X-Forwarded-For column in IIS 7/7.5/8

  1. Open IIS Manager
  2. On server, site or application level, double click “Advanced Logging
  3. In the action pane on right side, click “Enable Advanced Logging
  4. In the action pane, click “Edit Logging Fields
  5. In the new window, click “Add Field
  6. In “Add Logging Field” window, fill out the following fields
    • Field ID: X-Forwarded-For, Source type: Response Header, Source name: X-Forwarded-For
  7. Click “OK
  8. In the middle pane, select the default log definition “%COMPUTERNAME%-Server“. Click “Edit Log Definition
  9. Click “Select Logging Fields
  10. Select “X-Forwarded-For” from the list. Click “OK
  11. Click “Apply” in the actions pane

Wait for a new log file to be created. Column changes will be effective when a new log file is created. You may need to generate some traffic to fill and close the current log file.

Add X-Forwarded-For column in IIS 8.5 and newer versions

Custom logging became a lot easier with the IIS 8.5. Follow the steps below to add X-Forwarded-For column into IIS logs.

  1. Open IIS Manager
  2. On server, site or application level, double click “Logging
  3. Click “Select Fields
  4. In “W3C Logging Fields” window, click “Add Field
  5. In the “Add Custom Field” window, fill out the following fields
    • Field Name: X-Forwarded-For, Source type: Response Header, Source: X-Forwarded-For
  6. Click “OK” in both open windows
  7. Click “Apply” in the actions pane
Add X-Forwarded-For field to log actual client IP address
Add X-Forwarded-For field to log actual client IP address

Wait for a new log file to be created. Column changes will be effective when a new log file is created.

Note 1: If you see a dash (“-“) in X-Forwarded-For column of the log file, it means the client didn’t use any proxies. Therefore, the client IP must be in the “c-ip” column

Note 2: You may see multiple IP addresses in X-Forwarded-For column of the log file, it means the client went through more than 1 proxy. Each proxy adds their own IP to the end of the value. The left-most IP address is the actual client IP address. Others belong to proxies the client go through. 

X-Forwarded-For: client1, proxy1, proxy2, …

References:

Spread the word!

One thought to “How to log actual client IP address in IIS?”

Leave a Reply

Your email address will not be published. Required fields are marked *