We want to debug our web applications, or rather the input to them. This is mainly POST data, so normal Apache logging doesn’t do the trick. ¹⁾Yes, the applications will have their own logging, eventually.

I tried out mod_dumpio which at first glance looks like a perfect match – but it’s so spammy. I’m sure there’s lots of uses for all that data, but it’s too much for our needs.

Next suggestion was mod_security, which has a rather intimidating reference manual.

First attempt:

SecRuleEngine DetectionOnly
SecAuditEngine on
SecAuditLog /var/log/apache2/website-audit.log
SecRequestBodyAccess on
SecAuditLogParts ABIFHZ
SecDefaultAction "nolog,noauditlog,allow,phase:2" 

Looks good! But look at all those plaintext passwords we’re logging. Not impressive.

My next attempt was to just filter out all log rows which contains the text “pass”. While it works, it looks like a hack (“yeah, uh… just stop auditing after this rule!”) and there might be interesting data in that log line that we want to log. For posterity, this is what I did:

SecRule REQUEST_BODY "@contains pass" "phase:2,id:1,ctl:auditEngine=Off"

I read through the manual some more and finally found sanitiseArg ²⁾And I didn’t notice until this writeup that I’m using -ize while the manual states -ise. How about that. Thanks, dev team!

also supports pipes, so let’s cronolog it. ³⁾Of course logrotate works just fine, but I’m not a fan of just enumerating the files. Filenames with dates are easier to use.

So this is what we’re running. Still a bit spammy, but now we can toggle log parts, and easily add more filters.

SecRuleEngine DetectionOnly
SecAuditEngine on
SecAuditLog "|/usr/bin/cronolog /var/log/apache2/website-audit-%Y-%m-%d.log"
SecRequestBodyAccess on
SecAuditLogParts ABIFHZ
SecDefaultAction "nolog,noauditlog,allow,phase:2"
SecRule ARGS_NAMES "pass" "phase:2,id:1,sanitizeArg:password,sanitizeArg:password_confirmation"