- Newest
- Most votes
- Most comments
If you have ALB logging enabled you can obtain the client IP addresses from querying logs in the S3 bucket using Athena.
https://docs.aws.amazon.com/athena/latest/ug/application-load-balancer-logs.html
Similarly with WAF. https://docs.aws.amazon.com/athena/latest/ug/waf-logs.html
Or via cloud watch (WAF) https://repost.aws/knowledge-center/waf-analyze-logs-stored-cloudwatch-s3
If you are using ALB you'll find that the client source IP address is placed into the X-Forwarded-For header which you can retrieve when each request is processed. The documentation about this is here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html
As the other answer mentions: You can also retrieve the data from the ALB access logs so it depends on whether you want to know the IP address when the request comes in (use the headers above) or process that information historically.
You also have access to the client IP within WAF: https://repost.aws/knowledge-center/waf-mitigate-ddos-attacks
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
Hi Gary,
Thanks for the response, I have enabled the alb logs but when I check the alb logs manually there are multiple internal AWS IP'S so I am unable to identify actual traffic on the website. Also we have logs in gzip folder type in S3 bucket so it's typical to check the logs.
Which column are you seeing AWS IPs? Usually that’s only the target_IP. You should be looking at client_ip
That’s why you need Athena. You can’t look at the logs file directly. Athena queries the gzip files as if they are a sql table.
There are no specific different in the file as client IP , Target ip. Just mention the ip only.
Please follow the link I provided. All will be clear when you use Athena.