Last Updated: 2015-04-21 15:15:57 UTC
by Johannes Ullrich (Version: 1)
Apache has an interesting option to log complete requests, including the body of POST requests. The method has come in handy for honeypots. For a normal server, the logging is likely excessive (other then for debug purposes), and I do not think sensitive data can be masked like it mod_security.
The complete request logging uses the "mod_dumpio" module, which was introduced in Apache 2.2. In Apache 2.2, all you need to do is to enable the module, and set the log level:
In Apache 2.4, the logging system got revamped, and you now specify the log level per module using the LogLevel directive:
The logs will end up in your error log, and look like:
[Tue Apr 21 15:08:40.894950 2015] [dumpio:trace7] [pid 15247] mod_dumpio.c(63): [client 184.108.40.206:48510] mod_dumpio: dumpio_in (data-HEAP): 26 bytes
[Tue Apr 21 15:08:40.894980 2015] [dumpio:trace7] [pid 15247] mod_dumpio.c(103): [client 220.127.116.11:48510] mod_dumpio: dumpio_in (data-HEAP): GET /robots.txt HTTP/1.1\r\n
You can filter a particular request by greping for the client IP and port:
grep '18.104.22.168:48510' error.log
To make things more readable, I use this shell script (for the above log from 22.214.171.124 and port 48510)
grep '126.96.36.199:48510' error.log | cut -f8- -d':' | egrep -v ' [0-9]+ bytes$' | grep -v '^$' | cut -c2- | sed 's/\\r\\n//'
GET /robots.txt HTTP/1.1
The same module can also be used to log all output, which may come in handy to debug errors on SSL servers, but I haven't had a need to use that function yet.