View sources IP's in Apache Logs behind a Load Balancer

How to configure Apache Logs to view the source IP’s when it is behind a Load Balancer

When you use the Rackspace Cloud Load Balancers, it is common that the IP logged in Apache is the Private IP (ServiceNet) from the Cloud Load Balancer, however, we can fix that.

We can view sources IP’s in Apache Logs doing some changes on Apache configuration file and also on the vhosts configuration files.

On your Apache configuration file, you should to find the line:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Modified to:

LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

And also, on your vhosts configuration files you should to change the “combined” LogFormat definition will then be called in a “CustomLog” entry specific to your VirtualHost configuration. Here is an example VirtualHost definition to show you what I’m referring to:

ServerAdmin [email protected]
DocumentRoot /var/www/html/
ErrorLog logs/
CustomLog logs/ combined

After adding the X-Forwarded-For definition to the LogFormat definition, you can restart Apache and view the logs to notice the difference. If all is done properly, you will see an actual public IP in the first field of your logs instead of the Cloud Load Balancer IP.

Luis Cacho
Luis Cacho
Security Systems Administrator III

Security Systems Administrator at Rackspace | Kubernetes Enthusiast | Ansible Ninja