This is a small follow-up for the varnishlog-oneliners post , on how to use the varnishlog to show you only the logs being caused by a specific source IP. Very useful if you want to debug your own traffic on a Varnish machine that is in production. You can filter on IPv4 and IPv6 IPs.
Varnish 2.x#
The layout looks like this, for the client requests (-c) parameter.
# varnishlog -c -o SessionOpen $IP # varnishlog -c -o SessionOpen 10.0.1.5
To see the backend requests, you can match on the TxHeader.
# varnishlog -b -o TxHeader $IP # varnishlog -b -o TxHeader 10.0.1.5
Varnish 3.x#
For Varnish 3.x, use something like this.
# varnishlog -c -m ReqStart:$IP # varnishlog -c -m ReqStart:10.0.1.5 # varnishlog -c -m ReqStart:2a03:2880:10:cf07:face:b00c::1
To see the backend requests, match on the TxHeader.
# varnishlog -b -m TxHeader:$IP # varnishlog -b -m TxHeader:10.0.1.5 # varnishlog -b -m TxHeader:2a03:2880:10:cf07:face:b00c::1
If you want to filter on an X-Forwarded-For header, instead of the IP directly connecting (because there may be another load balancer in between), you can filter using the RxHeader.
# varnishlog -c -m RxHeader:$IP # varnishlog -b -m RxHeader:10.0.1.5 # varnishlog -b -m RxHeader:2a03:2880:10:cf07:face:b00c::1
For IPv6 IP addresses, there is no need to encapsulate in [] square brackets.
Varnish 4.x#
The varnishlog syntax and inner workings changed significantly in Varnish 4, and all examples from Varnishlog 3.x are no longer valid.
Here’s how you can filter based on a single connecting IP.
# varnishlog -q "ReqStart ~ '10.0.1.5'"
And here’s how you can use an arbitrary header, like an X-Forwarded-For.
# varnishlog -q "ReqHeader eq 'X-Forwarded-For: 10.0.1.5'"
That’s it.