Does AWS alb/elb logs or vpc flow logs, contain the body of the user's POST request?

Question

I just want to postmortem an incident that happened in my application server running on AWS. We already enabled alb logs and vpc flow logs. The application accepts a user's request in post method with data in body. Now I am confused: Does AWS alb/elb logs or vpc flow logs, contain the body of the user's post request? Or if not, where can I access the logs which contains request's body data?

Note: The application server is inside an auto scale group behind alb, so logs from the instance level would not be possible.

Answer 1

Unfortunately not. This is the default format of VPC flow logs:

<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>

It doesn't care about anything above OSI layer 4.

The ALB access logs don't log the content of the body - documentation.

Here's an example of how HTTPS logs look like:

https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 
192.168.131.39:2817 10.0.0.1:80 0.086 0.048 0.037 200 200 0 57 
"GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 
arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
"Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012"
1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" 10.0.0.1:80 200 "-" "-"

As you can see, information about the path and some headers are included, but not the body and that's for good reason. Bodies can get very large and hold very private information, and you don't want to store that stuff for every request.