Hi there

We are using modsecurity on Apache to protect backend IIS servers (ie a
WAF), and of course, one downside is that all the IIS Logs now report
the WAF's IP address instead of the real Internet IP of the client.

For backend Apache servers this is easy to fix (I'll put it here for
others and Google)

LogFormat "%h %l ...." internal
LogFormat "%{X-Forwarded-For}i %l ...." external

setEnvIf Remote_Addr "^ip.of.modsecurity.server$" isWAF

CustomLog /var/log/httpd/access_log internal env=!isWAF
CustomLog /var/log/httpd/access_log external env=isWAF

...however IIS has nothing like that. How are others doing it? I've
looked around Google and found something from 2005 - but a couple of
releases of IIS have come out since then, so I don't know how valid
they'd be anymore...

Thanks

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users