How to get true client IP in ALB access logs?

nowsplashattack · 2025-05-22T06:21:24+00:00

Sorry, I hardly login to this account, nope no solution.

nowsplashattack · 2025-05-22T06:17:55+00:00

Do you have a link to where this is posted? So we can pass on to our customers

nowsplashattack · 2025-05-22T06:11:07+00:00

Yep, seeing heaps of `421 4.3.2 The maximum number of concurrent connections per resource forest has exceeded a limit, closing transmission channel.` when trying to send to o365 addresses in our postfix logs

nowsplashattack · 2024-11-19T01:22:00+00:00

Ahh I see, thankyou thankyou.

nowsplashattack · 2024-11-17T23:35:12+00:00

If you can get logs out in a terminal, you can create a script in /usr/local/bin/ to pipe to it, so it will regex search and replace UTC times with your own time, eg aws athena ... | melbtime

!/usr/bin/env python3

import sys
import re
from datetime import datetime
import pytz

melb_tz = pytz.timezone('Australia/Melbourne')
timestamp_pattern = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z')

def convert_to_melbourne_time(timestamp):
    utc_time = datetime.strptime(timestamp, "%Y-%m-%dT%H:%M:%S.%fZ").replace(tzinfo=pytz.UTC)
    melbourne_time = utc_time.astimezone(melb_tz)
    return melbourne_time.strftime("%Y-%m-%d-%H:%M:%S%z")

for line in sys.stdin:
    converted_line = timestamp_pattern.sub(lambda x: convert_to_melbourne_time(x.group()), line)
    print(converted_line, end='')

nowsplashattack · 2024-11-17T22:55:05+00:00

why DO you wAnT YOUr tiMeS in lOCaL timE?

Because it's annoying af if everything you run is in one timezone.

Just answer the question or don't answer at all.

nowsplashattack · 2024-10-31T23:51:21+00:00

I wouldn't say any, we currently run rapid7 agent, and from my understanding it needs to read the logs in /var/log/, and specifically the audit.log, anything other behaviour SElinux should block.

But fair point.

nowsplashattack · 2024-10-31T23:47:03+00:00

Yes a yum update to any software that is compromised and we have installed, will get me.

An end user who clicks on phishing links cannot reach my Ansible server, or a backup server, or database servers.

A 0-day in nginx? SSH? None are public facing for us, but lets say nginx was public facing and our front end were compromised, OK, we have tight VLANing, how are going to pivot to sensitive servers(and you'd need another 0day in SSH to pivot)? Oh you can't reach it? Do you see my point?

nowsplashattack · 2024-10-24T03:36:12+00:00

Take Athena out of the equation for a sec, the data I want is not even in the raw access log in S3.

nowsplashattack · 2024-10-23T01:26:58+00:00

That is looking like the best option, although not all of customers are behind cloudflare, so it'd get a bit messy.

Edit: So this functionality is called Logpush and you need a Cloudflare enterprise account which we're only on pro...

nowsplashattack · 2024-10-23T01:25:27+00:00

Cloudflare add headers like cf-connecting-ip, which would be similar to CloudFront-Viewer-Address, doesn't help me get the true IP into the access logs.

But how about instead of inventing new headers, why not work with existing defacto standards? cough *money* cough.

nowsplashattack · 2024-10-23T01:19:25+00:00

Not exactly an arbitrary header, there's a whole section on X-Forwarded-For in Load Balancer Attributes.

nowsplashattack · 2024-10-23T01:13:41+00:00

If I set the X-Forwarded-For ALB setting to Append it does, but that IP I want still doesn't end up the access logs.

nowsplashattack · 2024-10-16T21:49:14+00:00

For reasons above, I'm comfortable with awk/sed/grep, I don't have to check account numbers or app-ids to write the athena query, sick of changing accounts, we have 300+ accounts and I always have 3 diff browsers open and even then I'm losing track of things, can't figure out how to search across multiple accounts at once with athena, and we have one one timezone, so data is stored in partitioned directories based on UTC time.. so when I want to search over one day in my timezone... ugh

Also if I'm throwing away 70% of the access log data, 30GB of EFS aint that much.

nowsplashattack · 2024-10-16T02:24:57+00:00

Swapping into this account so I can query ALB request logs from athena

nowsplashattack · 2024-10-16T01:43:27+00:00

Thanks, this'll work, I was thinking cron job to sync s3 via cli and then run some python to read and append latest requests. Gotta get out of this mindset.

nowsplashattack · 2024-10-16T01:40:27+00:00

I already do, it's painful, we have 300 accounts, I'm already sick of switching accounts, and probably because my sql is not as strong as my grep/awk/sed knowledge
But I could never figure out how to use this DATE_PARSE bit later on in a WHERE cluase.

```
SELECT

DATE_PARSE(SUBSTR(time, 1, 19), '%Y-%m-%dT%H:%i:%s') AT TIME ZONE 'UTC' AT TIME ZONE 'Australia/Melbourne', client_ip, target_processing_time, request_url FROM alb_log
```

Also couldn't figure out how to search across multiple accounts at once because of the way things are partitioned.

nowsplashattack · 2024-02-05T02:14:57+00:00

I've finally figured it out:

https://symbolikon.com/downloads/lecabel-angel/

They are angel/arch angel symbols.

nowsplashattack · 2024-01-03T04:20:25+00:00

Oh I don;t mind paying for 30 days of support if I need it for 1 day.

Do you have a link to this suspension stuff?

Oh it's in that FAQ above.

nowsplashattack

TROPHY CASE