Login/Register
Best way to log POST data in Apache?
Asked Answered
loggingapacheapache-config
G

9

81

Imagine you have a site API that accepts data in the form of GET requests with parameters, or as POST requests (say, with standard url-encoded, &-separated POST data). If you want to log and analyze API calls, the GET requests will be easy, because they will be in the apache log. Is there a simple way to get the POST data in the apache log as well?

(Of course we could log the POST data explicitly in the application, but I'd like to have an configuration-level way that let me not worry about it in code.)

Genevieve answered 13/6, 2009 at 4:17 Comment(1)
Related question at ServerFault: serverfault.com/questions/51295/logging-http-post-in-apacheIncarnation
T
44

Use Apache's mod_dumpio. Be careful for obvious reasons.

Note that mod_dumpio stops logging binary payloads at the first null character. For example a multipart/form-data upload of a gzip'd file will probably only show the first few bytes with mod_dumpio.

Also note that Apache might not mention this module in httpd.conf even when it's present in the /modules folder. Just manually adding LoadModule will work fine.

Thailand answered 8/2, 2010 at 4:33 Comment(2)
mod_dumpio doesn't sound like it can be restricted to a specific location context, it's only server-wideRebeckarebeka
@JosipRodin should be possible via LogLevel (that can be set also in vhost or dir context). Additionally, mod_dumpio needs to be configured to LogLevel trace7Stylograph
A
26

You can install mod_security and put in /etc/modsecurity/modsecurity.conf:

SecRuleEngine On
SecAuditEngine On
SecAuditLog /var/log/apache2/modsec_audit.log
SecRequestBodyAccess on
SecAuditLogParts ABIJDFHZ
Arson answered 13/7, 2016 at 13:8 Comment(6)
modsecurity has Ubuntu packages whereas others do not.Madagascar
What others? Like dumpio? It's already included with Apache HTTPD — at least in Ubuntu 16.04. That's why there's no separate package for it. You just need to enable it.Pressurecook
For http 2.4 yum package is mod24_security and config file location is /etc/httpd/conf.d/mod_security.confWestward
dumpio looks like it's limited to the first 256 bytes of the body, then truncates the rest.Thwart
Does this log all requests or only such with security violations? Can it be limited to certain URLs, for example if I want to debug only one specific form?Torus
This example logs all traffic quite extended. At github.com/SpiderLabs/ModSecurity/wiki/… it says "Scope Any" so it should be possible to use this directive within <Location> or <Directory>Arson
U
17

You can use [ModSecurity][1] to view POST data.

Install on Debian/Ubuntu:

$ sudo apt install libapache2-mod-security2

Use the recommended configuration file:

$ sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Reload Apache:

$ sudo service apache2 reload

You will now find your data logged under /var/log/apache2/modsec_audit.log

$ tail -f /var/log/apache2/modsec_audit.log
--2222229-A--
[23/Nov/2017:11:36:35 +0000] 
--2222229-B--
POST / HTTP/1.1
Content-Type: application/json
User-Agent: curl
Host: example.com

--2222229-C--
{"test":"modsecurity"}
Unconscious answered 23/11, 2017 at 13:23 Comment(1)
The default config logged nothing for me. I had to set SecRuleEngine On SecAuditEngine OnGisele
I
13

Though It's late to answer. This module can do: https://github.com/danghvu/mod_dumpost

Icily answered 9/12, 2012 at 11:10 Comment(1)
cool! it makes absolutly sense to dump post data for logfile analysis i.e. for things like sql injection attempts.Judgment
R
2

I would do it in the application, actually. It's still configurable at runtime, depending on your logger system, of course. For example, if you use Apache Log (log4j/cxx) you could configure a dedicated logger for such URLs and then configure it at runtime from an XML file.

Renatorenaud answered 13/6, 2009 at 4:22 Comment(3)
My concern there is that EVERY api handler will have to log the data at the beginning -- easy to forget as you're adding, and at best it's just added boilerplate.Genevieve
Any good framework should have pre and post filters, or the equivalent of middleware which will allow you to fire and forget.Chirm
Came here after apache log4j vulnerabilityChristophe
A
2

Enable mod_dumpio

  • for Debian-based OS

    sudo a2enmod dump_io

  • for RedHat-based OS

    nothing to do, it is enabled by default

Add mod_dumpio to your virtual host configuration

<VirtualHost *:8080>
  ServerName  localhost

  ErrorLog "/var/log/httpd/error.log"
  CustomLog "/var/log/httpd/access.log" combined

  DumpIOInput On
  DumpIOOutput On
  LogLevel dumpio:trace7    
</VirtualHost>

Restart Apache

Agonic answered 26/8, 2022 at 7:12 Comment(0)
E
0

An easier option may be to log the POST data before it gets to the server. For web applications, I use Burp Proxy and set Firefox to use it as an HTTP/S proxy, and then I can watch (and mangle) data 'on the wire' in real time.

For making API requests without a browser, SoapUI is very useful and may show similar info. I would bet that you could probably configure SoapUI to connect through Burp as well (just a guess though).

Expediency answered 30/6, 2016 at 17:48 Comment(0)
S
0

You can also use mod DumpIO, activate it, and load from your Apache Log Conf. Define log name as postdata name, and load to AccessLog statement

#AccessLog /path/to/your/log/abc.access.log combine

AccessLog /path/to/your/log/abc.access.log postdata

Shoulder answered 22/1, 2022 at 4:47 Comment(1)
This does not work. AccessLog is not an Apache config directive, "postdata" is not defined anywhere, DumpIO always seems to default to "/var/log/apache2/error.log" even if you specify ErrorLog to point elsewhereShaggy
C
-2

You can also use the built-in forensic log feature.

Crossjack answered 17/10, 2018 at 0:31 Comment(3)
I don't see any to ask mod_log_forensic to log POST data. Am I missing something?Fortyfive
httpd.apache.org/docs/2.4/mod/mod_log_forensic.html#forensiclog indicates this module can only be as granular as a virtual hostRebeckarebeka
forensic log doesn't log contentLonglegged

© 2022 - 2024 — McMap. All rights reserved.