Load Balancer Access Logs
NetworkNetwork TrafficSIEM / Log AggregatorNetwork Capture
Location
Load balancer logs (F5 BIG-IP, AWS ALB/NLB, Azure Application Gateway, HAProxy, Nginx)Description
Layer 4/7 load balancer logs recording client IP, request URL, backend server selected, response time, HTTP status code, TLS version, and health check results. Includes X-Forwarded-For headers preserving original client IPs.
Forensic Value
Load balancer logs capture the true client IP address before it reaches backend servers, which is critical when backend application logs only show the load balancer IP. Request distribution patterns reveal which backend servers handled attacker traffic. Health check failures may indicate backend server compromise or denial of service. TLS negotiation details expose outdated cipher usage. Connection rate and error patterns help reconstruct the timeline of web application attacks.
Tools Required
SIEM (Splunk, Elastic)F5 iRules/BIG-IQAWS CloudWatchgrepGoAccess
Collection Commands
HAProxy
cat /var/log/haproxy.log | awk '{print $6, $7, $8, $10, $11}' | sort -t: -k1 > haproxy_access.txtAWS CLI
aws elbv2 describe-load-balancers --output json > alb_config.json && aws s3 cp s3://<bucket>/AWSLogs/<account>/elasticloadbalancing/ ./alb_logs/ --recursive
F5 BIG-IP
tmsh show ltm virtual | grep -A 10 "Ltm::Virtual Server" > f5_virtual_servers.txt && cat /var/log/ltm > f5_ltm_log.txt
MITRE ATT&CK Techniques
T1190T1499T1071.001T1595T1498