You want to log the downstream client username in the access log of the upstream proxy in a proxy chain.

In proxy chaining environments, the upstream (or parent) proxy logs all traffic as originating from the downstream (or child) proxy. To have the upstream proxy log the originating client's username in its access logs, modify both the downstream and upstream proxies. The modification is to configure the downstream proxy to add an HTTP header showing the originating client's username, and to configure policy on the upstream proxy to modify access logging based on this added header.

On the downstream ProxySG (the proxy that the clients communicate to first):

1. Create a new Web Access layer.

2. Create a new rule in this new layer.

3. Configure the Action-field as follows:

On the upstream ProxySG:

1. (Optional): Create a new copy of your current access-log

2. Add the following substitution variable into the log file format definition (in this example I added it at the end): request.header.X-Forwarded-For

3. In order to keep this header from leaking to the internet, you will need to strip this header again on the upstream proxy: To do this, add a new Web Access Layer and a new rule with this action:

4. (Optional)If you have created a new log format, you will need another layer and rule on the upstream proxy to tell the SG to log to this new format:

Action: Modify Access Logging

If you now tail the new (or old) access log, you will see the username that was provided by the downstream proxy (admin in this example):

If you need to log the IP address rather than the username (for example when you do not authenticate), please see KB1982 (Logging the downstream client IP in the access log of the upstream ProxySG in a proxy chain).