Goaccess: Extracting XFF from haproxy logs

Created on 8 May 2017  路  5Comments  路  Source: allinurl/goaccess

When using haproxy, the X-Forwarded-For IPs can (only) be logged by using the "capture request headers" feature - cf https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-capture%20request%20header . So these IPs end up in curly braces, e.g. {194.158.159.12, 10.42.84.249}. goaccess has support for the XFF IPs using ~h using curly braces to specify the separators - however I fail to find a valid configuration where the curly braces in the log line and the curly braces in the log format don't clash. Am I missing something?

My example log line (from syslog):
May 8 09:06:48 10.42.47.114 haproxy[70]: 10.42.122.13 [08/May/2017:09:06:42.294] 200 263860 {194.158.159.12, 10.42.84.249} "GET /a/b/c?d=e HTTP/1.1"

My goaccess configuration:
$ goaccess -f /tmp/access.log2 --log-format '%^ %^ %^ %^ %^ %^ %h [%d:%f] %s %b "{~h{, }}" %r' --date-format '%d/%b/%Y' --time-format '%H:%M:%S'

My goal would be that 194.158.159.12 is the IP that is used in all statistics...

bug log-processing
Source
picture mephinet

All 5 comments

Thanks for reporting this. It looks like the code parsing the braces is not taking into account a escape sequence. I'll look into this and post back as soon as I push the change upstream.

allinurl picture allinurl on 8 May 2017
👍1

When designing your parser, you might want to take into account that there might be more than one header that is being captured, and that more than one is relevant for goaccess - one might want to capture XFF, referer and user agent, for instance. An example of such a log line can be found in https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#8.8

mephinet picture mephinet on 9 May 2017

I have pushed a commit that should fix this issue. Please build from upstream and let me know how it goes. The following should do it:

goaccess access.log --log-format '%^:%^:%^:%^[%d:%t.%^] %s %b ~h{, \\{\\}} "%r"' --date-format=%d/%b/%Y --time-format=%T
allinurl picture allinurl on 12 May 2017
1

Awesome, works! Thank you very much!

mephinet picture mephinet on 12 May 2017

Great. It'll be pushed out in the upcoming version. Feel free to reopen it if needed.

allinurl picture allinurl on 12 May 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

deosha picture deosha  路  3Comments
konungrl picture konungrl  路  3Comments
narayan1599 picture narayan1599  路  3Comments
DestinyWang picture DestinyWang  路  3Comments
domainoverflow picture domainoverflow  路  3Comments