none
X-Forwarded-For field in Azure Log Analytics

    Question

  • Hello,

    In Azure Log Analytics, X-Forwarded-For property values are not showing even though it is present in IIS logs. 

    On documentation page of Collect IIS logs in Log Analytics (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-iis-logs#iis-log-record-properties), there is no information about X-Forwarded-For property, that means Log Analytics is not parsing this X-Forwarded-For field values into the workspace. Due to which vital piece of information is getting missed.

    This field cannot be included into client IP (cIP) field of IIS log as Load Balancer and proxies server is being used and we need to track the LB IPs of the request.

    There is a feedback which was shared https://feedback.azure.com/forums/267889-log-analytics/suggestions/6519267-collect-iis-advanced-logs, but the page was not updated from past 3  - 4 years.

    When this issue will be resolved, is there any timeline to address it?



    Friday, January 11, 2019 2:32 PM

All replies

  • Hello Surya, I can check internally on the status of the feedback but first wanted to check if you saw the feature PMs response to the above feedback - screenshot below.

    https://feedback.azure.com/forums/267889-log-analytics/suggestions/6519267-collect-iis-advanced-logs  

    Saturday, January 12, 2019 3:03 AM
    Moderator
  • Hi,

    I want just to mention that probably the official advise would be to use Application Insights for monitoring web applications. I think that information might be there.

    Thursday, January 17, 2019 7:37 AM
  • Thank you Femisulu,

    The response on the attached screenshot is nearly 3 years back and it is not updated recently. Also I have reached out to the support team, but there was no luck. I am not sure how much votes Microsoft is looking for this change and how much more time they need to include this custom field. 

    As said my one of the senior architect, X-Forwarded-For (XFF) is an important field when any proxy or load balancer are being used in the web application. XFF change needs to be a global change.

    Note: Few months ago I have also voted in above forum, but keeping the time it was last updated, I cannot rely on the above explaination. I still doubt if there is any admin team who views or update it accordingly.

    Thanks

    Thursday, January 17, 2019 12:52 PM
  • Thanks Stanislav, few of our web applications are on App Insights, but the IIS related information is not being captured as the App Insights agent and SDK needs to be installed. 

    We used to get top 5 or 10 user session information, which will not help.

    Thursday, January 17, 2019 12:56 PM