Welcome to WebmasterWorld Guest from

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

apache log 2 ip addresses one line

aaa.aaa.aaa.aaa, bbb.bbb.bbb.bbb

9:21 pm on Jul 28, 2005 (gmt 0)

New User

10+ Year Member

joined:Aug 10, 2004
votes: 0

While scanning an apache access log I came across a handful of lines that have 2 IP addresses on them.

The 2 addresses are the same for all entries, and are formatted like:


Any idea what this could mean?

3:45 pm on Aug 15, 2005 (gmt 0)

Senior Member

joined:Mar 8, 2002
votes: 0

4:08 pm on Aug 15, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 28, 2002
votes: 0

... it is hard to tell with so few details.
Do you log further variables beyond the COMMON default?
Do you even log additional private variables %{p1} with apache_note out of PHP scripts into the common log file?

The only thing that comes into my mind is: if you log the X-FORWARDED-FOR sent by some proxies, it may contain more than just one IP address.


4:19 pm on Aug 15, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Oct 15, 2003
votes: 0


Can you past a few complete lines from the raw log file and more importantly, a copy of the CustomLogs and any other related (logformat, etc) Apache directives.

The reason that the directives are useful is that they tell us what Apache has been directed to record in the log:

CustomLog /docs/logs/access.log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"


6:16 pm on Aug 16, 2005 (gmt 0)

New User

10+ Year Member

joined:Aug 10, 2004
votes: 0

Thanks for your responses. I've no experience with server admin, so my apologies.

A few common entries -

68.*.*.* - - [21/Jul/2005:16:19:34 -0700] "GET /some-file.html HTTP/1.0" 200 2118 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050405 Firefox/1.0 (Ubuntu package 1.0.2)"

212.*.*.* - - [21/Jul/2005:09:00:45 -0700] "GET /css.css HTTP/1.0" 200 2137 "/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

A sample double IP entry -

82.*.*.*, 62.*.*.* - - [02/Aug/2005:10:14:08 -0700] "GET /css.css HTTP/1.0" 200 2137 "referrer" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.8) Gecko/20050511 Firefox/1.0.4"

A sample triple entry -

10.*.*.*, 132.185.*.*, 132.185.*.* - - [04/Aug/2005:04:31:15 -0700] "GET / HTTP/1.0" 304 - "referrer" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

I don't have access to the httpd.conf because the site in question is on a shared host. (lesson learned)
From the support pages on the host it seems only the default variables are being logged.

I was leaning towards proxies as an explanation and X-FORWARDED-FOR (default variable?) would make sense. Thanks again for your input.