Often or not someone may place a web farm behind a loadbalancer and not get appropriate remote ip address logging information on the Apache log files. Following entry will describe how to configure Apache to log with the X-Forwarder-For HTTP-Header.
First, make sure that mod_remoteip is enabled. On an Ubuntu or Debian instance, you can do this with:
Edit the configuration file /etc/modsecurity/modsecurity.conf. Make sure the IP address defining the proxy server are defined
<IfModule remoteip_module>
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 192.168.0.0/16
</IfModule>
Edit the apache logformat setting by editing the apache configuration fileĀ /etc/apache2/apache2.conf. Find the matching LogFormat line in your Apache conf and change:
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
to:
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
This tells Apache to log the client IP as recorded by mod_remoteip (%a) rather than hostname (%h). For a full explanation of all the options, see the Apache docs here.