Load Balancer Access Logs

NetworkNetwork TrafficSIEM / Log AggregatorNetwork Capture

Location

Load balancer logs (F5 BIG-IP, AWS ALB/NLB, Azure Application Gateway, HAProxy, Nginx)

Description

Layer 4/7 load balancer logs recording client IP, request URL, backend server selected, response time, HTTP status code, TLS version, and health check results. Includes X-Forwarded-For headers preserving original client IPs.

Forensic Value

Load balancer logs capture the true client IP address before it reaches backend servers, which is critical when backend application logs only show the load balancer IP. Request distribution patterns reveal which backend servers handled attacker traffic. Health check failures may indicate backend server compromise or denial of service. TLS negotiation details expose outdated cipher usage. Connection rate and error patterns help reconstruct the timeline of web application attacks.

Tools Required

SIEM (Splunk, Elastic)F5 iRules/BIG-IQAWS CloudWatchgrepGoAccess

Collection Commands

HAProxy

cat /var/log/haproxy.log | awk '{print $6, $7, $8, $10, $11}' | sort -t: -k1 > haproxy_access.txt

AWS CLI

aws elbv2 describe-load-balancers --output json > alb_config.json && aws s3 cp s3://<bucket>/AWSLogs/<account>/elasticloadbalancing/ ./alb_logs/ --recursive

F5 BIG-IP

tmsh show ltm virtual | grep -A 10 "Ltm::Virtual Server" > f5_virtual_servers.txt && cat /var/log/ltm > f5_ltm_log.txt

MITRE ATT&CK Techniques

T1190T1499T1071.001T1595T1498