CODEWITHSUNDEEP
loggingapacheapache-config
Kevin Weil
Kevin Weil

Reputation: 1589

Best way to log POST data in Apache?

Imagine you have a site API that accepts data in the form of GET requests with parameters, or as POST requests (say, with standard url-encoded, &-separated POST data). If you want to log and analyze API calls, the GET requests will be easy, because they will be in the apache log. Is there a simple way to get the POST data in the apache log as well?

(Of course we could log the POST data explicitly in the application, but I'd like to have an configuration-level way that let me not worry about it in code.)

Upvotes: 82

Views: 169215

Answers (9)

Jeroen Vermeulen
Jeroen Vermeulen

Reputation: 2461

You can install mod_security and put in /etc/modsecurity/modsecurity.conf:

SecAuditEngine On
SecAuditLog /var/log/apache2/modsec_audit.log
SecRequestBodyAccess on
SecAuditLogParts ABIJDFHZ

Upvotes: 27

hpr
hpr

Reputation: 164

Enable mod_dumpio

  • for Debian-based OS

    sudo a2enmod dump_io

  • for RedHat-based OS

    nothing to do, it is enabled by default

Add mod_dumpio to your virtual host configuration

<VirtualHost *:8080>
  ServerName  localhost

  ErrorLog "/var/log/httpd/error.log"
  CustomLog "/var/log/httpd/access.log" combined

  DumpIOInput On
  DumpIOOutput On
  LogLevel dumpio:trace7    
</VirtualHost>

Restart Apache

Upvotes: 3

bimosaurus
bimosaurus

Reputation: 1

You can also use mod DumpIO, activate it, and load from your Apache Log Conf. Define log name as postdata name, and load to AccessLog statement

#AccessLog /path/to/your/log/abc.access.log combine

AccessLog /path/to/your/log/abc.access.log postdata

Upvotes: 0

hg8
hg8

Reputation: 1120

You can use [ModSecurity][1] to view POST data.

Install on Debian/Ubuntu:

$ sudo apt install libapache2-mod-security2

Use the recommended configuration file:

$ sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Reload Apache:

$ sudo service apache2 reload

You will now find your data logged under /var/log/apache2/modsec_audit.log

$ tail -f /var/log/apache2/modsec_audit.log
--2222229-A--
[23/Nov/2017:11:36:35 +0000] 
--2222229-B--
POST / HTTP/1.1
Content-Type: application/json
User-Agent: curl
Host: example.com

--2222229-C--
{"test":"modsecurity"}

Upvotes: 19

Daniel
Daniel

Reputation: 4735

You can also use the built-in forensic log feature.

Upvotes: -2

siliconrockstar
siliconrockstar

Reputation: 3664

An easier option may be to log the POST data before it gets to the server. For web applications, I use Burp Proxy and set Firefox to use it as an HTTP/S proxy, and then I can watch (and mangle) data 'on the wire' in real time.

For making API requests without a browser, SoapUI is very useful and may show similar info. I would bet that you could probably configure SoapUI to connect through Burp as well (just a guess though).

Upvotes: 0

Spider
Spider

Reputation: 561

Use Apache's mod_dumpio. Be careful for obvious reasons.

Note that mod_dumpio stops logging binary payloads at the first null character. For example a multipart/form-data upload of a gzip'd file will probably only show the first few bytes with mod_dumpio.

Also note that Apache might not mention this module in httpd.conf even when it's present in the /modules folder. Just manually adding LoadModule will work fine.

Upvotes: 45

w00d
w00d

Reputation: 5596

Though It's late to answer. This module can do: https://github.com/danghvu/mod_dumpost

Upvotes: 13

Assaf Lavie
Assaf Lavie

Reputation: 75973

I would do it in the application, actually. It's still configurable at runtime, depending on your logger system, of course. For example, if you use Apache Log (log4j/cxx) you could configure a dedicated logger for such URLs and then configure it at runtime from an XML file.

Upvotes: 2

Related Questions