Login | Register For Free | Help	Search this list this category for: (Advanced)

Mailing List Archive: Analog: Help x-forwarded-for with multiple hosts in LOGFORMAT   Index | Next | Previous | View Flat

donjones at us Nov 4, 2008, 11:27 AM Views: 647 Permalink x-forwarded-for with multiple hosts in LOGFORMAT I am wrestling with the fact that my logfiles, occasionally, have more than one entry for the x-forwarded-for header. for the following Apache 2.0 LogFormat directive: LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"\"%{Cookie}i\" %D" webtrends and given the following Analog LOGFORMAT directive: LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f" "%B""%j" %D) (which this board gave to me, thank you again very much) Most of the lines in my logfiles look like this: 10.234.232.167 - - [25/Oct/2008:23:01:10 -0500] "GET /wps/wcm/connect/2a6f7580496c90b6b2b1b201c6b31b76/question_icon-sm.gif?MOD=AJPERES&CACHEID=2a6f7580496c90b6b2b1b201c6b31b76 HTTP/1.1" 304 - "http://<referrer URL>" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Tablet PC 1.7; .NET CLR 1.0.3705; .NET CLR 1.1.4322)""__utma=101953745.1652819385290589000.1221015365.1224604983.1224952607.7; __utmz=101953745.1224952607.7.7.utmcsr=rxxxxxt.com|utmccn=(referral)|utmcmd=referral|utmcct=/u1_home.cfm; WT_FPC=id=10.234.239.131-3304339200.29954800:lv=1221044193521:ss=1221044166322; JSESSIONID_AP2_PR_WCM60=00007vCfK8zKVQucOSrXC0qYvDn:133sbhktb" 1991 But over the course of a week, about 1/5 of them (enough to skew the statistics) look like this, or some variation 10.236.188.189, 10.254.246.140 - - [25/Oct/2008:23:00:34 -0500] "GET /wps/wcm/connect/corporate/lir?srv=cmpnt&source=library&cmpntname=MENU+-+LIR+Content+List HTTP/1.1" 200 320768 "-" "HTMLParser/1.6""-" 42021851 The DEBUG ON shows that Analog is unhappy with the 2nd "-" before the open bracket for the date, presumably because there are 4 fields before the bracket, not just 3, when x-forwarded-for has multiple entries. I could re-rerun the report with just specifying 4 %j entries before the bracket...losing the host wouldn't be the worst problem....but is there a better solution? Don Jones Life is not tested or documented to be fair. Thinking life is fair is not supported.

Subject User Time x-forwarded-for with multiple hosts in LOGFORMAT donjones at us Nov 4, 2008, 11:27 AM     Re: x-forwarded-for with multiple hosts in LOGFORMAT analog07 at eircom Nov 4, 2008, 11:51 AM         Re: x-forwarded-for with multiple hosts in LOGFORMAT donjones at us Nov 4, 2008, 12:59 PM

Index | Next | Previous | View Flat   Analog     Announce     Help

Interested in having your list archived? Contact lists@gossamer-threads.com
 

Web Applications & Managed Hosting Powered by Gossamer Threads Inc.