Logging Complete Requests in Apache 2.2 and 2.4
Apache has an interesting option to log complete requests, including the body of POST requests. The method has come in handy for honeypots. For a normal server, the logging is likely excessive (other then for debug purposes), and I do not think sensitive data can be masked like it mod_security.
The complete request logging uses the "mod_dumpio" module, which was introduced in Apache 2.2. In Apache 2.2, all you need to do is to enable the module, and set the log level:
DumpIOInput On
DumpIOLogLevel debug
In Apache 2.4, the logging system got revamped, and you now specify the log level per module using the LogLevel directive:
DumpIOInput On
LogLevel dumpio:trace7
The logs will end up in your error log, and look like:
[Tue Apr 21 15:08:40.894950 2015] [dumpio:trace7] [pid 15247] mod_dumpio.c(63): [client 188.138.17.205:48510] mod_dumpio: dumpio_in (data-HEAP): 26 bytes
[Tue Apr 21 15:08:40.894980 2015] [dumpio:trace7] [pid 15247] mod_dumpio.c(103): [client 188.138.17.205:48510] mod_dumpio: dumpio_in (data-HEAP): GET /robots.txt HTTP/1.1\r\n
You can filter a particular request by greping for the client IP and port:
grep '188.138.17.205:48510' error.log
To make things more readable, I use this shell script (for the above log from 188.138.17.205 and port 48510)
grep '188.138.17.205:48510' error.log | cut -f8- -d':' | egrep -v ' [0-9]+ bytes$' | grep -v '^$' | cut -c2- | sed 's/\\r\\n//'
The output:
GET /robots.txt HTTP/1.1
Host: [redacted]:8080
Accept-Encoding: identity
The same module can also be used to log all output, which may come in handy to debug errors on SSL servers, but I haven't had a need to use that function yet.
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Anonymous
Apr 22nd 2015
9 years ago