IIS 7 advanced logging and X-Forwarded-For
We are enabling "advanced logging" on our IIS 7 servers, specifically to include the X-Forwarded-For header so we can see real client IP's in HTTP sessions that were SNAT'ed by a load balancer. My understanding is that advanced logging makes this work by adding another field to a standard log format like w3c. The latest IIS collector I see on FileConnect is 4.3, which requires w3c Extended Log File Format with all fields included.
My questions then are:
1. By adding another field to the log file, how will the default collector behave?
2. How do we configure the default collector to parse this additional field and write it to a SSIM event?
3. If we modify the default collector to parse and write this additional field, what happens if that collector is used for w3c logs that does not contain this additional field?
I have some ideas about the answers, but am interested in what others might be doing.