your log files already capture that information. "EVERY" - GET, POST and HEAD command gets logged by your web server's logging facility, including the client IP address. All you need to do is run something to process the log files into a database that can be queried for the analytical data.

So I need to contact my Internet provider and ask them pretty please to release that information? Or do you mean my web hosting server? Because I already asked the latter and they suggested Google Analytical. I was just hoping for something more third party.

should offer an FTP location for you to download these files to parse offline. If you want a fully automated solution, look at Google analytics or Urchin.

To process them yourself, offline... something like http://www.webalizer.org/ would work well.

I have enough to get started. Thanks for your help.

It is a matter of what the admins chose to turn on in the configurations of the server.

The other catch is that if you do not own the web server, there is a good chance that you are sharing the web server with other "sites" hosted on the same hardware. In that case your data is probably co-mingled with the other sites in the log files. If that is the case, the hosting service will not give you access to those log files since the data is not all yours. Thus, google and the other third parties may be your best bet.

The important question here is what do you want to do with the IP addresses? What other data do you want with them, like timestamps, etc?

In case someone takes it upon themselves to send a threatening email, I would like to have something to give the authorities a chance to track.

Email messages contain everything within the message headers, including the source machine and every server it traveled through.

Whether or not your email reader will show you that data is a difference story, but it is all there.

I use to post to the social.culture forums. We learned how to come in under nom de plumes (it was expected, part of the game to change your identity because there were a great number of bored techies that subscribed to the group) so fudging the email pathline was one of the first things we learned.

It was actually fun trying to figure out who everybody was.

Just paste the complete, unmodified email header into a tool like...
http://www.mxtoolbox.com/EmailHeaders.aspx

If they are using a web based contact form to send the email, you will need to look at the server logs.

One thing to be aware of is if the user is using a proxy to access your site, you will only get the IP of the proxy server's public address. The "authorities" can usually get a search warrant to attain network logs of a proxy hosting provider if the threats are more than minor, and they are US based.

I feel a little more confident now.

I've never used one myself, but I think it's neat when a website knows who I am when I return, and now that banking websites do it, it should be common knowledge.

I've never cared about my personal privacy (at least within the bounds of common sense like posting my address here). We are social creatures. When did people become so fenced off from one another? So far I have not been the victim of identity theft, or black helicopters circling my home with telescopes. OTOH, I'm actually hard pressed to get anyone to even acknowledge my existence.

I'm not sure what the conventional wisdom is though. It's usually the opposite of mine.

It only bothers me because I sincerely believe that our legal enforcement agencies are padded with Republicans, and I know now that civil torts that border on criminal are often ignored if there is political clout around to shut down investigations. In addition, some Repubs have been known to play dirty so it doesn't take a leap to figure out that they'll use whatever resources they have available to shut down someone's livelihood, if necessary.

I guess many people will avoid sites that they think overstep their privacy concerns. So if your audience is like that, I guess IP tracking should be kept to a minimum.

If you want more security, just tracking IPs alone probably won't be enough. Anyway, residential IP addresses can't be traced without a warrant. The site should just be secure, with good password protection and methods of verifying the identity of users. Or at least some captcha to avoid DDOS attacks. Once your site starts getting over a thousand hits a day, it probably is time to consult security experts.

If only.