|
Apache has an interesting option to log complete requests, including the body of POST requests. The method has come in handy for honeypots. For a normal server, the logging is likely excessive (other then for debug purposes), and I do not think sensitive data can be masked like it mod_security. The complete request logging uses the "mod_dumpio" module, which was introduced in Apache 2.2. In Apache 2.2, all you need to do is to enable the module, and set the log level: DumpIOInput On In Apache 2.4, the logging system got revamped, and you now specify the log level per module using the LogLevel directive: DumpIOInput On The logs will end up in your error log, and look like: [Tue Apr 21 15:08:40.894950 2015] [dumpio:trace7] [pid 15247] mod_dumpio.c(63): [client 188.138.17.205:48510] mod_dumpio: dumpio_in (data-HEAP): 26 bytes You can filter a particular request by greping for the client IP and port: grep '188.138.17.205:48510' error.log To make things more readable, I use this shell script (for the above log from 188.138.17.205 and port 48510) grep '188.138.17.205:48510' error.log | cut -f8- -d':' | egrep -v ' [0-9]+ bytes$' | grep -v '^$' | cut -c2- | sed 's/\\r\\n//' The output: GET /robots.txt HTTP/1.1 The same module can also be used to log all output, which may come in handy to debug errors on SSL servers, but I haven't had a need to use that function yet.
--- |
Johannes 4475 Posts ISC Handler Apr 21st 2015 |
| Thread locked Subscribe |
Apr 21st 2015 7 years ago |
|
This is great info. Very detailed. Thanks for sharing!
|
Anonymous |
| Quote |
Apr 22nd 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
