Server Access Logs Missing Information

[Giancarlo]

We're currently running a two server setup, a web server and a database server, using Litespeed as well as Cloudflare.
About a month ago we enabled Cloudflare's rate limiting feature to block certain traffic that would try to ping a specific URL.
At the same time, we noticed some people were able to get around the rate limiting we had in place, and we asked Cloudflare how to fix this. They requested the access logs, however, the access logs contained Cloudflare IPs, since we never set Litespeed to store the original visitor IP. So Cloudflare asked us to restore the original visitor IPs in our logs.

We requested our host restore the original visitor IP, but one of the techs did something that completely wiped all data from the access logs. Now, all the access log reports is localhost IP address and empty data. We've contacted them to fix it, but now none of the techs know how to fix it.

Prior to March 27 (before we requested our host restore original visitor IP) it would log just fine like this:

108.162.245.157 - - [27/Mar/2018:08:51:51 -0400] "POST /facebook/leadads.php HTTP/1.1" 200 0 "-" "Webhooks/1.0 (https://fb.me/webhooks)" 4021fda448b52a31-SEA
162.158.111.58 - - [27/Mar/2018:08:51:51 -0400] "POST /facebook/leadads.php HTTP/1.1" 200 0 "-" "Webhooks/1.0 (https://fb.me/webhooks)" 4021fda34ae02b82-AMS
162.158.78.229 - - [27/Mar/2018:08:51:51 -0400] "GET /vs-full-4582db-4657.js HTTP/1.1" 200 492 "http://blog.uwinit.com/UWI_50_Sweepstakes_POP_OCT.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0_3 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/65.0.3325.152 Mobile/15A432 Safari/604.1" 4021fda57db99f3c-IAD
108.162.246.20 - - [27/Mar/2018:08:51:51 -0400] "GET /vrlswp/full/4582db-4657?framed=1&ref=http%3A%2F%2Fwww.uwinit.com%2FPrize%2FIndex%2F17&hash= HTTP/1.1" 200 15468 "http://blog.uwinit.com/UWI_50_Sweepstakes_POP_OCT.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.1" 4021fda48d352a43-SEA
108

Now, ever since they made a change, it logs like this:

127.0.0.1 - - [11/Apr/2018:06:07:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
218.76.49.6 - - [11/Apr/2018:06:08:46 -0400] "GET /LoginPage.do HTTP/1.1" 404 10092 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)"
::1 - - [11/Apr/2018:06:09:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:09:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:10:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:11:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:12:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:12:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:14:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:15:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:15:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:15:41 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:17:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:18:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:19:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:20:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
::1 - - [11/Apr/2018:06:21:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:21:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:22:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:23:47 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:24:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:25:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:25:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:27:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:27:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:28:10 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:30:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:30:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:30:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:31:59 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:33:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:33:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"

I've already tried modifying the Litespeed settings for "Use Client IP in Header" to NO/YES/Trusted IP Only, and the log never changes when trying all different settings.

Any ideas on what to do here to fix this?

 

[Pong]

Is it a cpanel server? Check the log format part and restore the original log format.
After you fixed your log format, you can follow the following to show real visitor's IP in the log:
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:cloudflare

 

[Giancarlo]

It is a cpanel server.

I checked httpd.conf for log format and I see this:

<IfModule log_config_module>
    LogFormat "%{Referer}i -> %U" referer
    LogFormat "%{User-agent}i" agent
    # NOTE: "combined" and "common" are required by WHM
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

    # access_log format can be set in WHM under 'Basic cPanel & WHM Setup'
    CustomLog logs/access_log combined
</IfModule>

Again, I did not make the change to the access logs to cause them to return localhost IP and drop all data, so I am unsure what the original log format was. Any help would be greatly appreciated.

 

[Pong]

For cpanel, /etc/apache2/logs/access_log is server level access log, which more look like the format you mentioned.

127.0.0.1 - - [11/Apr/2018:06:25:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"

for domain level access log, you will need to check /etc/apache2/logs/domlogs/, which more look like your original format, combined format.

108.162.245.157 - - [27/Mar/2018:08:51:51 -0400] "POST /facebook/leadads.php HTTP/1.1" 200 0 "-" "Webhooks/1.0 (https://fb.me/webhooks)" 4021fda448b52a31-SEA

If you have further questions, better log a ticket with cpanel or ask cPanel support to change log to your desired log fomat.

 

[Giancarlo]

After following this: https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:cloudflare
It still does not show client IP in the access or dom_logs.
We're running LiteSpeed Web Server Enterprise 5.2.3

 

[Pong]

Better upgrade to latest version of 5.2.6 firstly.
What IPs showing in your log then? CloudFlare IPs?

 

[Giancarlo]

Updating to the latest version and then restarting litespeed seems to have done the trick, the correct IPS are coming in now. Thanks!