Enable Webtier to log the X-FORWARDER-FOR Header in the access logs
Article Number
Applies To
|
Issue
This causes multiple problems with customer who sends logs to Splunk as they will always get that the web tier has been accessed by the load balancer IP not the true IP of the device.
Resolution
2- Go to the webtier folder then go to this directory either on a Linux webtier or a windows webtier
---> server ---> config --> config.xml
3- Look for the line in config.xml that contains:
<elf-fields>c-ip date time time-taken cs-method cs-uri sc-status bytes</elf-fields>
4- Change it to:
<elf-fields>cs(X-Forwarded-For) c-ip date time time-taken cs-method cs-uri sc-status bytes</elf-fields>
When you go to the logs directory and then check the access_logs, you will find out that another column has been added that contains the true IP of the device that has accessed the load balancer.
Related Articles
RSA Announces the March 2021 Release of RSA SecurID Access Number of Views Splunk Cloud - RSA Ready Implementation Guide Number of Views Unable to remove privileges for an RSA Via Governance and Lifecycle user Number of Views Manage User Groups Number of Views Unification fails to identify terminated or deleted users in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
