Associating a user identifier detected from web traffic with a client address

What is claimed is: 1. A method comprising: receiving, at a device in a network, a set of known user identifiers used in the network; receiving, at the device, web traffic log data regarding web traffic in the network, wherein the web traffic log data comprises HTTP header information captured from the web traffic and a plurality of client addresses associated with the web traffic; detecting, by the device, a particular user identifier of the set of known user identifiers in multiple field values of the HTTP header information, wherein the HTTP header information is associated with a particular client address of the plurality of client addresses; and making, by the device, an association between the particular user identifier and the particular client address based on a frequency count of the particular user identifier in web traffic that is associated with the particular client address, wherein the frequency count is calculated by counting how often the particular user identifier is present in the multiple field values of the HTTP header information. 2. The method as in claim 1 , further comprising: removing, by the device, the association between the particular user identifier and the particular client address based on a Dynamic Host Configuration Protocol (DHCP) event involving the particular client address. 3. The method as in claim 1 , wherein receiving the set of known user identifiers used in the network comprises: receiving, by the device, the set of known user identifiers from a Lightweight Directory Access Protocol (LDAP) directory. 4. The method as in claim 1 , wherein detecting a plurality of known user identifiers in the HTTP header information associated with the particular client address comprises: identifying, by the device, the plurality of known user identifiers in a Uniform Resource Identifier (URI) or a cookie in the HTTP header information associated with the particular client address. 5. The method as in claim 1 , further comprising: calculating, by the device, a frequency count of each user identifier of the set of known user identifiers in the web traffic. 6. The method as in claim 5 , wherein the particular user identifier is associated with the particular client address based on the particular user identifier having a highest frequency count in the web traffic that is associated with the particular client address among the set of known user identifiers. 7. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process that is executable by the processor, the process when executed operable to: receive a set of known user identifiers used in the network; receive web traffic log data regarding web traffic in the network, wherein the web traffic log data comprises HTTP header information captured from the web traffic and a plurality of client addresses associated with the web traffic; detect a particular user identifier of the set of known user identifiers in multiple field values of the HTTP header information, wherein the HTTP header information is associated with a particular client address of the plurality of client addresses; and make an association between the particular user identifier and the particular client address based on a frequency count of the particular user identifier in web traffic that is associated with the particular client address, wherein the frequency count is calculated by counting how often the particular user identifier is present in the multiple field values of the HTTP header information. 8. The apparatus as in claim 7 , wherein the process when executed is further operable to: remove the association between the particular user identifier and the particular client address based on a Dynamic Host Configuration Protocol (DHCP) event involving the particular client address. 9. The apparatus as in claim 7 , wherein the apparatus receives the set of known user identifiers used in the network by: receiving the set of known user identifiers from a Lightweight Directory Access Protocol (LDAP) directory. 10. The apparatus as in claim 7 , wherein the apparatus detects a plurality of known user identifiers in the HTTP header information associated with the particular client address by: identifying the plurality of known user identifiers in a Uniform Resource Identifier (URI) or a cookie in the HTTP header information associated with the particular client address. 11. The apparatus as in claim 7 , wherein the process when executed is further operable to: calculate a frequency count of each user identifier of the set of known user identifiers in the web traffic. 12. The apparatus as in claim 11 , wherein the particular user identifier is associated with the particular client address based on the particular user identifier having a highest frequency count in the web traffic that is associated with the particular client address among the set of known user identifiers. 13. A tangible, non-transitory, computer-readable medium that stores program instructions that cause a device in a network to execute a process comprising: receiving, at the device, a set of known user identifiers used in the network; receiving, at the device, web traffic log data regarding web traffic in the network, wherein the web traffic log data comprises HTTP header information captured from the web traffic and a plurality of client addresses associated with the web traffic; detecting, by the device, a particular user identifier of the set of known user identifiers in multiple field values of the HTTP header information, wherein the HTTP header information is associated with a particular client address of the plurality of client addresses; and making, by the device, an association between the particular user identifier and the particular client address based on a frequency count of the particular user identifier in web traffic that is associated with the particular client address, wherein the frequency count is calculated by counting how often the particular user identifier is present in the multiple field values of the HTTP header information. 14. The tangible, non-transitory, computer-readable medium as in claim 13 , wherein the process further comprises: removing the association between the particular user identifier and the particular client address based on a Dynamic Host Configuration Protocol (DHCP) event involving the particular client address. 15. The tangible, non-transitory, computer-readable medium as in claim 13 , wherein receiving the set of known user identifiers used in the network comprises: receiving the set of known user identifiers from a Lightweight Directory Access Protocol (LDAP) directory. 16. The tangible, non-transitory, computer-readable medium as in claim 13 , wherein detecting a plurality of known user identifiers in the HTTP header information associated with the particular client address comprises: identifying the plurality of known user identifiers in a Uniform Resource Identifier (URI) or a cookie in the HTTP header information associated with the particular client address. 17. The tangible, non-transitory, computer-readable medium as in claim 13 , wherein the process further comprises: calculating, by the device, a frequency count of each user identifier of the set of known user identifiers in the web traffic. 18. The tangible, non-transitory, computer-readable medium as in claim 13 , wherein the particular