Enable Webtier to log the X-FORWARDER-FOR Header in the access logs
Article Number
Applies To
|
Issue
This causes multiple problems with customer who sends logs to Splunk as they will always get that the web tier has been accessed by the load balancer IP not the true IP of the device.
Resolution
2- Go to the webtier folder then go to this directory either on a Linux webtier or a windows webtier
---> server ---> config --> config.xml
3- Look for the line in config.xml that contains:
<elf-fields>c-ip date time time-taken cs-method cs-uri sc-status bytes</elf-fields>
4- Change it to:
<elf-fields>cs(X-Forwarded-For) c-ip date time time-taken cs-method cs-uri sc-status bytes</elf-fields>
When you go to the logs directory and then check the access_logs, you will find out that another column has been added that contains the true IP of the device that has accessed the load balancer.
Related Articles
Log Artifact is missing aveksaserver.log and most other log files in RSA Identity Governance & Lifecycle Number of Views RSA Announces the March 2021 Release of RSA SecurID Access Number of Views RSA Prime Developer & SDK Resources Number of Views Splunk Cloud - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views Splunk Enterprise - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to Download OTP Token Seed Files from myRSA RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
