Varnish: filter by Source IP using Varnishlog (in Varnish 2.x, 3.x and 4.x)Mattias Geniar, Saturday, November 26, 2011 - last modified: Saturday, October 17, 2015
This is a small follow-up for the varnishlog-oneliners post, on how to use the varnishlog to show you only the logs being caused by a specific source IP. Very useful if you want to debug your own traffic on a Varnish machine that is in production. You can filter on IPv4 and IPv6 IPs.
The layout looks like this, for the client requests (-c) parameter.
# varnishlog -c -o SessionOpen $IP # varnishlog -c -o SessionOpen 10.0.1.5
To see the backend requests, you can match on the TxHeader.
# varnishlog -b -o TxHeader $IP # varnishlog -b -o TxHeader 10.0.1.5
For Varnish 3.x, use something like this.
# varnishlog -c -m ReqStart:$IP # varnishlog -c -m ReqStart:10.0.1.5 # varnishlog -c -m ReqStart:2a03:2880:10:cf07:face:b00c::1
To see the backend requests, match on the TxHeader.
# varnishlog -b -m TxHeader:$IP # varnishlog -b -m TxHeader:10.0.1.5 # varnishlog -b -m TxHeader:2a03:2880:10:cf07:face:b00c::1
If you want to filter on an X-Forwarded-For header, instead of the IP directly connecting (because there may be another load balancer in between), you can filter using the RxHeader.
# varnishlog -c -m RxHeader:$IP # varnishlog -b -m RxHeader:10.0.1.5 # varnishlog -b -m RxHeader:2a03:2880:10:cf07:face:b00c::1
For IPv6 IP addresses, there is no need to encapsulate in  square brackets.
The varnishlog syntax and inner workings changed significantly in Varnish 4, and all examples from Varnishlog 3.x are no longer valid.
Here's how you can filter based on a single connecting IP.
# varnishlog -q "ReqStart ~ '10.0.1.5'"
And here's how you can use an arbitrary header, like an X-Forwarded-For.
# varnishlog -q "ReqHeader eq 'X-Forwarded-For: 10.0.1.5'"