Why do Apache access logs sometimes have two host ip addresses?
I have been trying to parse apache access logs but for some reason there are two host ip addresses separated by a comma and a space. I am thinking of just removing the second ip address, does it mean anything? I would hate to remove something that might have useful information.
edit:
Here is an example of the log line with two ip addresses:
62.28.25.X, 194.65.37.X - - [06/May/2014:17:58:15 +0000] "GET / HTTP/1.1" 200 1556 "http://mysite.io/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; chromeframe/32.0.1700.107; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E)"
A normal line:
54.247.188.X - - [08/May/2014:00:04:16 +0000] "GET / HTTP/1.1" 301 20 "-" "NewRelicPinger/1.0 (625386)"
I do not have mod_log_config in my mods-enabled directory. Perhaps I am looking in the wrong place? It should just be the default.
edit2:
I found this in /etc/apache2/apache2.conf, I hope this clears things up.
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
Solution 1:
This happens when Apache receives a connection from a system that is (or claims to be) a proxy. The %h
format specifier normally produces just an IP address, but when the client sends a header indicating that it has proxied the request, the IP of the original client is recorded with a comma, and then the IP of the proxy.