Varnish: filter by Source IP using Varnishlog (in Varnish 2.x, 3.x and 4.x)

Mattias Geniar, Saturday, November 26, 2011 - last modified: Saturday, October 17, 2015

This is a small follow-up for the varnishlog-oneliners post, on how to use the varnishlog to show you only the logs being caused by a specific source IP. Very useful if you want to debug your own traffic on a Varnish machine that is in production. You can filter on IPv4 and IPv6 IPs.

Varnish 2.x

The layout looks like this, for the client requests (-c) parameter.

# varnishlog -c -o SessionOpen $IP
# varnishlog -c -o SessionOpen

To see the backend requests, you can match on the TxHeader.

# varnishlog -b -o TxHeader $IP
# varnishlog -b -o TxHeader

Varnish 3.x

For Varnish 3.x, use something like this.

# varnishlog -c -m ReqStart:$IP
# varnishlog -c -m ReqStart:
# varnishlog -c -m ReqStart:2a03:2880:10:cf07:face:b00c::1

To see the backend requests, match on the TxHeader.

# varnishlog -b -m TxHeader:$IP
# varnishlog -b -m TxHeader:
# varnishlog -b -m TxHeader:2a03:2880:10:cf07:face:b00c::1

If you want to filter on an X-Forwarded-For header, instead of the IP directly connecting (because there may be another load balancer in between), you can filter using the RxHeader.

 # varnishlog -c -m RxHeader:$IP
# varnishlog -b -m RxHeader:
# varnishlog -b -m RxHeader:2a03:2880:10:cf07:face:b00c::1

For IPv6 IP addresses, there is no need to encapsulate in [] square brackets.

Varnish 4.x

The varnishlog syntax and inner workings changed significantly in Varnish 4, and all examples from Varnishlog 3.x are no longer valid.

Here's how you can filter based on a single connecting IP.

# varnishlog -q "ReqStart ~ ''"

And here's how you can use an arbitrary header, like an X-Forwarded-For.

# varnishlog -q "ReqHeader eq 'X-Forwarded-For:'"

That's it.

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!


James Pearson Tuesday, November 6, 2012 at 21:24 - Reply

Varnishtop, unfortunately, doesn’t support the -m parameter. Instead, try this:

varnishtop -c -d -f -i ReqStart

Ramon Fincken Saturday, September 6, 2014 at 14:14 - Reply

You may even skip the -c or -b to see all requests (V3)

Stéphan Friday, March 9, 2018 at 17:23 - Reply

varnishlog -g request -q “ReqStart ~ ‘’”


Leave a Reply

Your email address will not be published. Required fields are marked *