Select to view content in your preferred language

Retrieve Client IP Address Information from ArcGIS Server Logs

801
5
Jump to solution
02-20-2024 02:45 AM
SaurabhUpadhyaya
Frequent Contributor

Hi,

We are currently working with ArcGIS Server 11.1 in our environment and are in need of assistance regarding our server logs.

We are attempting to retrieve the client IP address information from the logs for analysis and troubleshooting purposes.

Upon reviewing the available log fields, we noticed that the fields provided do not include a dedicated "Client IP" field. The fields available in our logs are as follows: [Type, Message, Time, Target, Machine, User, Code, Time Elapsed, Process, Thread, Method Name, Request ID].

Can anyone share the workaround to get the Client IP.

0 Kudos
1 Solution

Accepted Solutions
A_Wyn_Jones
Esri Contributor

Yes, monitoring web logs is a complex process. I can't suggest any particular tools but Web Server log parsers can help you see trends via Graphs of client requests.

 

If you know which services you want to trace, you can look for calls to "server/rest/services/MyData/Myservice/MapServer" which should help you filter the web server logs sufficiently to understand then which IPs have been requesting your map service.

If you're worried about unauthorised use of your Map services, you should look to implement CORS restrictions or, on the extreme side of the scale, set up a WAF to entirely control your web traffic.

CORS for Server map services:

https://enterprise.arcgis.com/en/server/latest/administer/linux/restricting-cross-domain-requests-to...

Portal CORS:

https://enterprise.arcgis.com/en/portal/latest/administer/windows/restrict-cross-domain-requests-to-...

 

ArcGIS Hardening guide which is a good place to start reading about applying a WAF:

https://downloads.esri.com/RESOURCES/ENTERPRISEGIS/ArcGIS_Enterprise_Hardening_Guide.PDF

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."

View solution in original post

0 Kudos
5 Replies
A_Wyn_Jones
Esri Contributor

You should be able to see this information via your Web Server logs - you can then cross-reference the error shown in ArcGIS Server logs with a call made via Web Server

 

e.g.

Web server: 00:00:000 /server/admin/security/config/update  123.12.1.3

ArcGIS Server: 00:00:000 SEVERE - can't update security config ERROR 9999

 

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."
0 Kudos
SaurabhUpadhyaya
Frequent Contributor

@A_Wyn_Jones Thanks for prompt response. This is vert lengthy process, I have published multiple services which accessed by diffrent geographies and now want to trace the Client IP.

Can you share any step or easy available tool?

0 Kudos
A_Wyn_Jones
Esri Contributor

Yes, monitoring web logs is a complex process. I can't suggest any particular tools but Web Server log parsers can help you see trends via Graphs of client requests.

 

If you know which services you want to trace, you can look for calls to "server/rest/services/MyData/Myservice/MapServer" which should help you filter the web server logs sufficiently to understand then which IPs have been requesting your map service.

If you're worried about unauthorised use of your Map services, you should look to implement CORS restrictions or, on the extreme side of the scale, set up a WAF to entirely control your web traffic.

CORS for Server map services:

https://enterprise.arcgis.com/en/server/latest/administer/linux/restricting-cross-domain-requests-to...

Portal CORS:

https://enterprise.arcgis.com/en/portal/latest/administer/windows/restrict-cross-domain-requests-to-...

 

ArcGIS Hardening guide which is a good place to start reading about applying a WAF:

https://downloads.esri.com/RESOURCES/ENTERPRISEGIS/ArcGIS_Enterprise_Hardening_Guide.PDF

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."
0 Kudos
gisarchitect
Regular Contributor

I know it might be late may be someone need it. I think System Log Parser can be handy in this situation as you can configure it with a narrow window of time. The output sheet contains the Client IP addresses that hit the web server. I think this could narrow the search to specific IP addresses. Attached is screen shots from the Parser and the Excel sheet. I hope this might help
SystemLogParser.pngSystemLogParser2.png

0 Kudos
berniejconnors
Frequent Contributor

Saurabh,

        You should be able to get the web server logs from the machine hosting your web adaptor.  The web server logs will give you the client IP, date, time, the incoming REST service request, the URL of the referrer, the referring agent, http status code, bytes transferred and the duration of the request in seconds.  I find it useful to look at the duration of the request to identify the slow requests that are using a lot of server time.  This may indicate a problem such as a poorly formed query on a map service, or a map service that needs to be tuned for faster performance.

        Unfortunately I cannot tell you how to find the web server logs.  I rely on an excellent server administrator to extract and filter logs for my analysis.  Just looking at requests that run longer than 60 seconds I usually only have 100 or fewer records per day to examine.  I just scan them in a text editor and look for unusual requests that may need further investigation.

Cheers,

Bernie.