I promoted some of the earlier posts on this blog about configuring Tomcat Access Logging to a new HOWTO. Also incorporated into the HOWTO is some additional information on using the new RemoteIP Valve, which allows you to log client IP or the X-Forwarded-For IP, depending on whether an X-Forwarded-For IP is received.
Check it out and let me know what you think. Thanks!
HOWTO: Configure Access Logging in Tomcat
There are going to be times when you will need to enable trace logging in WebSEAL in order to troubleshoot some kind of issue. To enable, you will need to locate the routing file (typically located in the same directory as your webseald instance configuration file) and uncomment the entry that looks something like this:
#*:*.9:TEXTFILE.10.1000:/path/to/webseald/message/logs/trace__%ld.trace.log:644:ivmgr:ivmgr
Restart the webseald process that you're looking to collect data on but be forewarned, it creates an awful lot of files!
When you utilize a device like a BigIP LTM to load-balance your web servers, a typical configuration masks the client IP address. The BigIP essentially proxies requests on behalf of the browser, so the only thing your web server sees is the IP address of the BigIP itself. The BigIP utilizes an industry-standard (but not HTTP standard) mechanism for storing the customer IP address into an HTTP Request Header called the X-Forwarded-For header. Typically, you configure your Apache servers to log the value from the X-Forwarded-For header instead of logging the client IP.
This all works great except when you access the web server directly, bypassing the BigIP. Since the BigIP (or other proxy) is inserting the X-Forwarded-For header and your browser is not, nothing gets logged in the Apache access logs so you have no simple way to determine which internal user or monitor just took your site down with that vulnerability scan. You can still figure it out based on user-agent and communication with your peers but we sysadmins are like the police on TV—we like to have all the damning evidence at hand before "interviewing" the perp.
The following HOWTO details a mechanism for logging both, depending upon whether an X-Forwarded-For value exists or not. HOWTO: Log Client IP AND X-Forwarded-For IP in Apache. It also includes a basic groovy script for validating.
