SharePoint can analyze XFF tag and put the client IP in the default audit logs
Found the default audit log of SharePoint doesn’t include the original IP address of the connecting clients if the connection is passed by a NLB. Currently, SharePoint 2016 only records the IP address of NLB instead of the client original IP. But the package of the connection between SharePoint and clients contains XFF tags which allow AP server to know the client IP address. Customer wish SharePoint can analyze XFF tag and put the client IP in the default audit logs.