I am wrestling with the fact that my logfiles, occasionally, have more
than one entry for the x-forwarded-for header.
for the following Apache 2.0 LogFormat directive:
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"\"%{Cookie}i\" %D" webtrends
and given the following Analog LOGFORMAT directive:
LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f" "%B""%j" %D)
(which this board gave to me, thank you again very much)
Most of the lines in my logfiles look like this:
10.234.232.167 - - [25/Oct/2008:23:01:10 -0500] "GET
/wps/wcm/connect/2a6f7580496c90b6b2b1b201c6b31b76/question_icon-sm.gif?MOD=AJPERES&CACHEID=2a6f7580496c90b6b2b1b201c6b31b76
HTTP/1.1" 304 - "http://<referrer URL>" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; Tablet PC 1.7; .NET CLR 1.0.3705; .NET CLR
1.1.4322)""__utma=101953745.1652819385290589000.1221015365.1224604983.1224952607.7;
__utmz=101953745.1224952607.7.7.utmcsr=rxxxxxt.com|utmccn=(referral)|utmcmd=referral|utmcct=/u1_home.cfm;
WT_FPC=id=10.234.239.131-3304339200.29954800:lv=1221044193521:ss=1221044166322;
JSESSIONID_AP2_PR_WCM60=00007vCfK8zKVQucOSrXC0qYvDn:133sbhktb" 1991
But over the course of a week, about 1/5 of them (enough to skew the
statistics) look like this, or some variation
10.236.188.189, 10.254.246.140 - - [25/Oct/2008:23:00:34 -0500] "GET
/wps/wcm/connect/corporate/lir?srv=cmpnt&source=library&cmpntname=MENU+-+LIR+Content+List
HTTP/1.1" 200 320768 "-" "HTMLParser/1.6""-" 42021851
The DEBUG ON shows that Analog is unhappy with the 2nd "-" before the open
bracket for the date, presumably because there are 4 fields before the
bracket, not just 3, when x-forwarded-for has multiple entries.
I could re-rerun the report with just specifying 4 %j entries before the
bracket...losing the host wouldn't be the worst problem....but is there a
better solution?
Don Jones
Life is not tested or documented to be fair. Thinking life is fair is not
supported.
than one entry for the x-forwarded-for header.
for the following Apache 2.0 LogFormat directive:
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"\"%{Cookie}i\" %D" webtrends
and given the following Analog LOGFORMAT directive:
LOGFORMAT (%S %j %u [%d/%M/%Y:%h:%n:%j] "%j %r %j" %c %b "%f" "%B""%j" %D)
(which this board gave to me, thank you again very much)
Most of the lines in my logfiles look like this:
10.234.232.167 - - [25/Oct/2008:23:01:10 -0500] "GET
/wps/wcm/connect/2a6f7580496c90b6b2b1b201c6b31b76/question_icon-sm.gif?MOD=AJPERES&CACHEID=2a6f7580496c90b6b2b1b201c6b31b76
HTTP/1.1" 304 - "http://<referrer URL>" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; Tablet PC 1.7; .NET CLR 1.0.3705; .NET CLR
1.1.4322)""__utma=101953745.1652819385290589000.1221015365.1224604983.1224952607.7;
__utmz=101953745.1224952607.7.7.utmcsr=rxxxxxt.com|utmccn=(referral)|utmcmd=referral|utmcct=/u1_home.cfm;
WT_FPC=id=10.234.239.131-3304339200.29954800:lv=1221044193521:ss=1221044166322;
JSESSIONID_AP2_PR_WCM60=00007vCfK8zKVQucOSrXC0qYvDn:133sbhktb" 1991
But over the course of a week, about 1/5 of them (enough to skew the
statistics) look like this, or some variation
10.236.188.189, 10.254.246.140 - - [25/Oct/2008:23:00:34 -0500] "GET
/wps/wcm/connect/corporate/lir?srv=cmpnt&source=library&cmpntname=MENU+-+LIR+Content+List
HTTP/1.1" 200 320768 "-" "HTMLParser/1.6""-" 42021851
The DEBUG ON shows that Analog is unhappy with the 2nd "-" before the open
bracket for the date, presumably because there are 4 fields before the
bracket, not just 3, when x-forwarded-for has multiple entries.
I could re-rerun the report with just specifying 4 %j entries before the
bracket...losing the host wouldn't be the worst problem....but is there a
better solution?
Don Jones
Life is not tested or documented to be fair. Thinking life is fair is not
supported.