Varnish: filter by Source IP using Varnishlog (in Varnish 2.x, 3.x and 4.x)

Mattias Geniar, Saturday, November 26, 2011 - last modified: Saturday, October 17, 2015

This is a small follow-up for the varnishlog-oneliners post, on how to use the varnishlog to show you only the logs being caused by a specific source IP. Very useful if you want to debug your own traffic on a Varnish machine that is in production. You can filter on IPv4 and IPv6 IPs.

Varnish 2.x

The layout looks like this, for the client requests (-c) parameter.

# varnishlog -c -o SessionOpen $IP
# varnishlog -c -o SessionOpen

To see the backend requests, you can match on the TxHeader.

# varnishlog -b -o TxHeader $IP
# varnishlog -b -o TxHeader

Varnish 3.x

For Varnish 3.x, use something like this.

# varnishlog -c -m ReqStart:$IP
# varnishlog -c -m ReqStart:
# varnishlog -c -m ReqStart:2a03:2880:10:cf07:face:b00c::1

To see the backend requests, match on the TxHeader.

# varnishlog -b -m TxHeader:$IP
# varnishlog -b -m TxHeader:
# varnishlog -b -m TxHeader:2a03:2880:10:cf07:face:b00c::1

If you want to filter on an X-Forwarded-For header, instead of the IP directly connecting (because there may be another load balancer in between), you can filter using the RxHeader.

 # varnishlog -c -m RxHeader:$IP
# varnishlog -b -m RxHeader:
# varnishlog -b -m RxHeader:2a03:2880:10:cf07:face:b00c::1

For IPv6 IP addresses, there is no need to encapsulate in [] square brackets.

Varnish 4.x

The varnishlog syntax and inner workings changed significantly in Varnish 4, and all examples from Varnishlog 3.x are no longer valid.

Here's how you can filter based on a single connecting IP.

# varnishlog -q "ReqStart ~ ''"

And here's how you can use an arbitrary header, like an X-Forwarded-For.

# varnishlog -q "ReqHeader eq 'X-Forwarded-For:'"

That's it.

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. Currently working on DNS Spy. Follow me on Twitter as @mattiasgeniar.

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!


James Pearson Tuesday, November 6, 2012 at 21:24

Varnishtop, unfortunately, doesn’t support the -m parameter. Instead, try this:

varnishtop -c -d -f -i ReqStart


Ramon Fincken Saturday, September 6, 2014 at 14:14

You may even skip the -c or -b to see all requests (V3)


Leave a Reply

Your email address will not be published. Required fields are marked *