POST requests having a X-Forwarded-For header are logged under the `xff' log bucket. That handling is done in wmf-config/CommonSettings.php as an entry in $wgExtensionFunctions.
The archived and compressed files are:
|xff.log||~ 2 GBytes|
The primary reason is the Jobrunner service enqueues jobs by hitting the web hosts directly on localhost which ends up causing a lot of spam such as:
|localhost||2016-03-15 09:40:37 mw1163 idwiktionary 1.27.0-wmf.16 localhost INFO: Tue, 15 Mar 2016 09:40:37 +0000 mw1163 , 127.0.0.1 http|
|xff||2016-03-15 09:40:37 mw1163 idwiktionary 1.27.0-wmf.16 xff INFO: Tue, 15 Mar 2016 09:40:37 +0000 http://127.0.0.1:9005/rpc/RunJobs.php?wiki=idwiktionary&type=refreshLinksDynamic&maxtime=60&maxmem=300M , 127.0.0.1|
A first cause of spam is the Nov 2013 commit 66af43f4483861f72ac2bca665bcbe31530d002c https://gerrit.wikimedia.org/r/#/c/93017/ . It logs WebRequest::detectProtocol() and I believe that was to debug / help with the HTTPS transition.
I dont think we need the localhost logbucket anymore.
For xff bucket, there is probably no need to log them when the request originate from 127.0.0.1.