Load Balancer Access Logs

networkNetwork TrafficSIEM / Log AggregatorNetwork Capture

Location

Load balancer logs (F5 BIG-IP, AWS ALB/NLB, Azure Application Gateway, HAProxy, Nginx)

Description

Layer 4/7 load balancer logs recording client IP, request URL, backend server selected, response time, HTTP status code, TLS version, and health check results. Includes X-Forwarded-For headers preserving original client IPs.

Forensic Value

Load balancer logs capture the true client IP address before it reaches backend servers, which is critical when backend application logs only show the load balancer IP. Request distribution patterns reveal which backend servers handled attacker traffic. Health check failures may indicate backend server compromise or denial of service. TLS negotiation details expose outdated cipher usage. Connection rate and error patterns help reconstruct the timeline of web application attacks.

Tools Required

SIEM (Splunk, Elastic)F5 iRules/BIG-IQAWS CloudWatchgrepGoAccess

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical