One disadvantage of running PeopleSoft behind a load balancer is that it can hide your user’s real IP address. With a load balancer, WebLogic and PeopleSoft log the load balancer’s IP address instead of the client connecting to your system. Load balancers support an HTTP header called
X-Forwarded-For, and will populate that HTTP header with the client’s IP address. We can configure WebLogic to read this header and add that to our HTTP access log.
psaccesslogtable tracks logins into PeopleSoft, but a customization is required to change the logged IP address to read from
X-Forwarded-For. We won’t over that here. Instead, we’ll show a configuration change to capture this information.
X-Forwarded-For HTTP header is designed to pass in the HTTP originating client IP address through the load balancer. Logging a client IP address helps you identify where users are coming from (geo-ip) and can help with auditing access to your system. Since organizations run many different load balancers, we won’t cover how to enable that. Ask your network administrators to enable and populate
X-Forwarded-For and pass it through to your WebLogic servers.
If you want to test the logging without getting a network admin involved, FireFox has a nice add-on, X-Forwarded-For Header that simulates the header for you.
WebLogic Access Log
Out of the box, WebLogic doesn’t capture the X-Forwarded-For HTTP header. To read that header, we can configure the HTTP Access Log to read the header and log it. To do that, we need to enable the Access Log and tell WebLogic what header to look for.
- Go to “Environment > Servers > PIA > Logging > HTTP”.
- Click “Lock & Edit”.
- Select the checkbox for “HTTP access log file enabled”.
- Save the changes.
- Expand the “Advanced” section.
- Change the Format to
cs(X-Forwarded-For)to the Extended Logging Format Fields.
- Set the Log File Buffer to
0. (This will write entires immediately to the log file.)
- Save the changes.
- Click the “Release Configuration” button.
- Restart the web server.
PIA_access.log file, you should see a dash
- or an IP address. If the header is blank, the dash will be populated. Otherwise, WebLogic will log the client’s real IP address.
Here a sample line from the
PIA_access.log file after we enabled
#Version: 1.0 #Fields: date time cs-method cs-uri sc-status cs-username cs(user-agent) s-ip c-ip time-taken bytes cs(X-Forwarded-For) #Software: WebLogic 2016-11-23 20:49:16 GET /psc/ps/EMPLOYEE/ELM/c/NUI_FRAMEWORK.PT_LANDINGPAGE.GBL 200 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0" 0.0.0.0:10020 10.0.1.174 5.484 10907 "10.0.1.222"
The last value,
"10.0.1.222" is the client IP address (my workstation). The
c-ip value (10.0.1.174) is the load balancer IP adress in this scenario.