71

Imagine you have a site API that accepts data in the form of GET requests with parameters, or as POST requests (say, with standard url-encoded, &-separated POST data). If you want to log and analyze API calls, the GET requests will be easy, because they will be in the apache log. Is there a simple way to get the POST data in the apache log as well?

(Of course we could log the POST data explicitly in the application, but I'd like to have an configuration-level way that let me not worry about it in code.)

Kevin Weil
  • 1,469
  • 2
  • 14
  • 17

8 Answers8

41

Use Apache's mod_dumpio. Be careful for obvious reasons.

Note that mod_dumpio stops logging binary payloads at the first null character. For example a multipart/form-data upload of a gzip'd file will probably only show the first few bytes with mod_dumpio.

Also note that Apache might not mention this module in httpd.conf even when it's present in the /modules folder. Just manually adding LoadModule will work fine.

Arjan
  • 20,227
  • 10
  • 57
  • 70
Spider
  • 531
  • 5
  • 5
  • mod_dumpio doesn't sound like it can be restricted to a specific location context, it's only server-wide – Josip Rodin Jan 31 '19 at 11:26
  • @JosipRodin should be possible via LogLevel (that can be set also in vhost or dir context). _Additionally, mod_dumpio needs to be configured to LogLevel trace7_ – Marki555 Oct 20 '20 at 21:07
20

You can install mod_security and put in /etc/modsecurity/modsecurity.conf:

SecRuleEngine On
SecAuditEngine On
SecAuditLog /var/log/apache2/modsec_audit.log
SecRequestBodyAccess on
SecAuditLogParts ABIJDFHZ
Jeroen Vermeulen - MageHost
  • 795
  • 6
  • 18
13

Though It's late to answer. This module can do: https://github.com/danghvu/mod_dumpost

w00d
  • 4,882
  • 10
  • 48
  • 79
  • 1
    cool! it makes absolutly sense to dump post data for logfile analysis i.e. for things like sql injection attempts. – KIC Sep 09 '14 at 12:48
12

You can use [ModSecurity][1] to view POST data.

Install on Debian/Ubuntu:

$ sudo apt install libapache2-mod-security2

Use the recommended configuration file:

$ sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Reload Apache:

$ sudo service apache2 reload

You will now find your data logged under /var/log/apache2/modsec_audit.log

$ tail -f /var/log/apache2/modsec_audit.log
--2222229-A--
[23/Nov/2017:11:36:35 +0000] 
--2222229-B--
POST / HTTP/1.1
Content-Type: application/json
User-Agent: curl
Host: example.com

--2222229-C--
{"test":"modsecurity"}
Josip Rodin
  • 625
  • 6
  • 12
hg8
  • 982
  • 1
  • 13
  • 27
8

Not exactly an answer, but I have never heard of a way to do this in Apache itself. I guess it might be possible with an extension module, but I don't know whether one has been written.

One concern is that POST data can be pretty large, and if you don't put some kind of limit on how much is being logged, you might run out of disk space after a while. It's a possible route for hackers to mess with your server.

David Z
  • 116,302
  • 26
  • 230
  • 268
  • 5
    I agree with the later half completely! As there is no limit on the POST data it could include all sorts of data, including passwords, which you wouldn't want to store in a log. There maybe other secure and large data you don't want in the log. – Darryl Hein Jun 13 '09 at 05:23
  • 2
    Logging passwords is not a problem, you aren't sending passwords in plain text anyway, are you? – supo Mar 21 '11 at 15:45
  • 9
    @supo: even if the passwords are encrypted via SSL they would still be logged in plain text. But the particular concern I was addressing was filling up your disk space, not exposing passwords in the log. – David Z Mar 21 '11 at 16:17
  • @supo doesnt wordpress send them in plain format? then how to encrypt that? using javascript encryption? – T.Todua Aug 14 '17 at 13:53
2

I would do it in the application, actually. It's still configurable at runtime, depending on your logger system, of course. For example, if you use Apache Log (log4j/cxx) you could configure a dedicated logger for such URLs and then configure it at runtime from an XML file.

Assaf Lavie
  • 63,560
  • 33
  • 139
  • 197
  • My concern there is that EVERY api handler will have to log the data at the beginning -- easy to forget as you're adding, and at best it's just added boilerplate. – Kevin Weil Jun 13 '09 at 04:33
  • Any good framework should have pre and post filters, or the equivalent of middleware which will allow you to fire and forget. – blockhead Oct 15 '12 at 07:57
0

An easier option may be to log the POST data before it gets to the server. For web applications, I use Burp Proxy and set Firefox to use it as an HTTP/S proxy, and then I can watch (and mangle) data 'on the wire' in real time.

For making API requests without a browser, SoapUI is very useful and may show similar info. I would bet that you could probably configure SoapUI to connect through Burp as well (just a guess though).

MediaVince
  • 447
  • 8
  • 12
siliconrockstar
  • 3,069
  • 33
  • 32
-1

You can also use the built-in forensic log feature.

Aeyoun
  • 4,006
  • 2
  • 28
  • 46