Log POST data with Apache

We want to debug our web applications, or rather the input to them. This is mainly POST data, so normal Apache logging doesn’t do the trick. 1)Yes, the applications will have their own logging, eventually.

I tried out mod_dumpio which at first glance looks like a perfect match – but it’s so spammy. I’m sure there’s lots of uses for all that data, but it’s too much for our needs.

Next suggestion was mod_security, which has a rather intimidating reference manual.

First attempt:

Looks good! But look at all those plaintext passwords we’re logging. Not impressive.

My next attempt was to just filter out all log rows which contains the text “pass”. While it works, it looks like a hack (“yeah, uh… just stop auditing after this rule!”) and there might be interesting data in that log line that we want to log. For posterity, this is what I did:

I read through the manual some more and finally found sanitiseArg 2)And I didn’t notice until this writeup that I’m using -ize while the manual states -ise. How about that. Thanks, dev team!

SecAuditLog also supports pipes, so let’s cronolog it. 3)Of course logrotate works just fine, but I’m not a fan of just enumerating the files. Filenames with dates are easier to use.

So this is what we’re running. Still a bit spammy, but now we can toggle log parts, and easily add more filters.

References   [ + ]

1. Yes, the applications will have their own logging, eventually.
2. And I didn’t notice until this writeup that I’m using -ize while the manual states -ise. How about that. Thanks, dev team!
3. Of course logrotate works just fine, but I’m not a fan of just enumerating the files. Filenames with dates are easier to use.

One thought on “Log POST data with Apache

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.