When there are several clients behind the same IP, the X-Forwarded-For header takes is usually used to identify the client that performed a specific request.
By default the access logs from the proxy don't show the content of this field. The purpose of this article is to create a new access log with the content of this particular header in such scenario.
To create, use and monitor the new Access Log:
Step 1: Create the log Format
Format Name: Format_With_XForwardedFor (or any name you see fit)
Paste this string to replace the original string under "W3C Extended Log File Format (ELFF) String (Specify below)":
date time time-taken c-ip cs(X-Forwarded-For) cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation x-bluecoat-application-groups cs-threat-risk x-bluecoat-transaction-uuid x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-Metadata)
Note: This format is simply the format called bcreportermain_v1 but with the X-Forwarded-For field added next to the client IP field (although it can be set as needed as long as the field is there).
Step 2: Create the log facility
Log Name: AccessLog_With_XForwardedFor (or any name you see fit)
Log Format: Format_With_XForwardedFor (the new logs format that are created earlier)
Step 3: Define policy to write logs into the new file
Action: Set > New > Modify Access Logging > Name the Access Logging Object > Enable logging to: AccessLog_With_XForwardedFor (the new logs created in step 2) click Ok.
Step 4: Validate