Mailing List Archive: Analog: Help

x-forwarded-for with multiple hosts in LOGFORMAT

Index | Next | Previous | View Threaded

donjones at us

Nov 4, 2008, 11:27 AM

Post #1 of 3 (630 views)
Permalink

x-forwarded-for with multiple hosts in LOGFORMAT

I am wrestling with the fact that my logfiles, occasionally, have more
than one entry for the x-forwarded-for header.

for the following Apache 2.0 LogFormat directive:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"\"%{Cookie}i\" %D" webtrends

and given the following Analog LOGFORMAT directive:

LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f" "%B""%j" %D)

(which this board gave to me, thank you again very much)

Most of the lines in my logfiles look like this:

10.234.232.167 - - [25/Oct/2008:23:01:10 -0500] "GET
/wps/wcm/connect/2a6f7580496c90b6b2b1b201c6b31b76/question_icon-sm.gif?MOD=AJPERES&CACHEID=2a6f7580496c90b6b2b1b201c6b31b76
HTTP/1.1" 304 - "http://<referrer URL>" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; Tablet PC 1.7; .NET CLR 1.0.3705; .NET CLR
1.1.4322)""__utma=101953745.1652819385290589000.1221015365.1224604983.1224952607.7;
__utmz=101953745.1224952607.7.7.utmcsr=rxxxxxt.com|utmccn=(referral)|utmcmd=referral|utmcct=/u1_home.cfm;
WT_FPC=id=10.234.239.131-3304339200.29954800:lv=1221044193521:ss=1221044166322;
JSESSIONID_AP2_PR_WCM60=00007vCfK8zKVQucOSrXC0qYvDn:133sbhktb" 1991

But over the course of a week, about 1/5 of them (enough to skew the
statistics) look like this, or some variation

10.236.188.189, 10.254.246.140 - - [25/Oct/2008:23:00:34 -0500] "GET
/wps/wcm/connect/corporate/lir?srv=cmpnt&source=library&cmpntname=MENU+-+LIR+Content+List
HTTP/1.1" 200 320768 "-" "HTMLParser/1.6""-" 42021851

The DEBUG ON shows that Analog is unhappy with the 2nd "-" before the open
bracket for the date, presumably because there are 4 fields before the
bracket, not just 3, when x-forwarded-for has multiple entries.

I could re-rerun the report with just specifying 4 %j entries before the
bracket...losing the host wouldn't be the worst problem....but is there a
better solution?

Don Jones

Life is not tested or documented to be fair. Thinking life is fair is not
supported.

analog07 at eircom

Nov 4, 2008, 11:51 AM

Post #2 of 3 (607 views)
Permalink

Re: x-forwarded-for with multiple hosts in LOGFORMAT [In reply to]

Don Jones <donjones[at]us.ibm.com> wrote:
>> I am wrestling with the fact that my logfiles, occasionally, have
>> more than one entry for the x-forwarded-for header.
>>
>> for the following Apache 2.0 LogFormat directive:
>>
>> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
>> \"%{User-Agent}i\"\"%{Cookie}i\" %D" webtrends
>>
>> and given the following Analog LOGFORMAT directive:
>>
>> LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f"
>> "%B""%j" %D)
>>
>> (which this board gave to me, thank you again very much)
>>
>> Most of the lines in my logfiles look like this:
>>
>> 10.234.232.167 - - [25/Oct/2008:23:01:10 -0500] "GET ...
>>
>> But over the course of a week, about 1/5 of them (enough to skew the
>> statistics) look like this, or some variation
>>
>> 10.236.188.189, 10.254.246.140 - - [25/Oct/2008:23:00:34 -0500] "GET ..

Analog can cope with multiple LOGFORMATs in a single log file, so just add an additional entry for decoding the lines with the extra IP addresses.

LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f" "%B""%j" %D)
LOGFORMAT (%S, %j %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f" "%B""%j" %D)

or
LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f" "%B""%j" %D)
LOGFORMAT (%j, %S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f" "%B""%j" %D)

Aengus

+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.meer.net/mailman/listinfo/analog-help
|
| Analog Documentation: http://analog.cx/docs/Readme.html
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------

donjones at us

Nov 4, 2008, 12:59 PM

Post #3 of 3 (603 views)
Permalink

Re: x-forwarded-for with multiple hosts in LOGFORMAT [In reply to]

Perfect, worked great! Thank you again!!!!

Don Jones
WebSphere Portal Development
Office: 919.254.2550 (tie line 444)
Life is not tested or documented to be fair. Thinking life is fair is not
supported.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com