[analog-help] x-forwarded-for with multiple hosts in LOGFORMAT

Tue, 04 Nov 2008 11:37:47 -0800 

I am wrestling with the fact that my logfiles, occasionally, have more 
than one entry for the x-forwarded-for header.

for the following Apache 2.0 LogFormat directive:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
\"%{User-Agent}i\"\"%{Cookie}i\" %D"  webtrends

and given the following Analog LOGFORMAT directive:

LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f" "%B""%j" %D)

(which this board gave to me, thank you again very much)

Most of the lines in my logfiles look like this:

10.234.232.167 - - [25/Oct/2008:23:01:10 -0500] "GET 
/wps/wcm/connect/2a6f7580496c90b6b2b1b201c6b31b76/question_icon-sm.gif?MOD=AJPERES&CACHEID=2a6f7580496c90b6b2b1b201c6b31b76
 
HTTP/1.1" 304 - "http://<referrer URL>" "Mozilla/4.0 (compatible; MSIE 
6.0; Windows NT 5.1; SV1; Tablet PC 1.7; .NET CLR 1.0.3705; .NET CLR 
1.1.4322)""__utma=101953745.1652819385290589000.1221015365.1224604983.1224952607.7;
 
__utmz=101953745.1224952607.7.7.utmcsr=rxxxxxt.com|utmccn=(referral)|utmcmd=referral|utmcct=/u1_home.cfm;
 
WT_FPC=id=10.234.239.131-3304339200.29954800:lv=1221044193521:ss=1221044166322; 
JSESSIONID_AP2_PR_WCM60=00007vCfK8zKVQucOSrXC0qYvDn:133sbhktb" 1991

But over the course of a week, about 1/5 of them (enough to skew the 
statistics) look like this, or some variation

10.236.188.189, 10.254.246.140 - - [25/Oct/2008:23:00:34 -0500] "GET 
/wps/wcm/connect/corporate/lir?srv=cmpnt&source=library&cmpntname=MENU+-+LIR+Content+List
 
HTTP/1.1" 200 320768 "-" "HTMLParser/1.6""-" 42021851

The DEBUG ON shows that Analog is unhappy with the 2nd "-" before the open 
bracket for the date, presumably because there are 4 fields before the 
bracket, not just 3, when x-forwarded-for has multiple entries.

I could re-rerun the report with just specifying 4 %j entries before the 
bracket...losing the host wouldn't be the worst problem....but is there a 
better solution? 


Don Jones

Life is not tested or documented to be fair.  Thinking life is fair is not 
supported.
+------------------------------------------------------------------------
|  TO UNSUBSCRIBE from this list:
|    http://lists.meer.net/mailman/listinfo/analog-help
|
|  Analog Documentation: http://analog.cx/docs/Readme.html
|  List archives:  http://www.analog.cx/docs/mailing.html#listarchives
|  Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------

Reply via email to