My next class:

Logging Complete Requests in Apache 2.2 and 2.4

Published: 2015-04-21. Last Updated: 2015-04-21 15:15:57 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Apache has an interesting option to log complete requests, including the body of POST requests. The method has come in handy for honeypots. For a normal server, the logging is likely excessive (other then for debug purposes), and I do not think sensitive data can be masked like it mod_security.

The complete request logging uses the "mod_dumpio" module, which was introduced in Apache 2.2. In Apache 2.2, all you need to do is to enable the module, and set the log level:

DumpIOInput On
DumpIOLogLevel debug

In Apache 2.4, the logging system got revamped, and you now specify the log level per module using the LogLevel directive:

DumpIOInput On
LogLevel dumpio:trace7

​The logs will end up in your error log, and look like:

[Tue Apr 21 15:08:40.894950 2015] [dumpio:trace7] [pid 15247] mod_dumpio.c(63): [client 188.138.17.205:48510] mod_dumpio:  dumpio_in (data-HEAP): 26 bytes
[Tue Apr 21 15:08:40.894980 2015] [dumpio:trace7] [pid 15247] mod_dumpio.c(103): [client 188.138.17.205:48510] mod_dumpio:  dumpio_in (data-HEAP): GET /robots.txt HTTP/1.1\r\n

You can filter a particular request by greping for the client IP and port:

grep '188.138.17.205:48510' error.log

To make things more readable, I use this shell script (for the above log from 188.138.17.205 and port 48510)

grep '188.138.17.205:48510' error.log | cut -f8- -d':' | egrep -v ' [0-9]+ bytes$' | grep -v '^$' | cut -c2- | sed 's/\\r\\n//'

The output:

GET /robots.txt HTTP/1.1
Host: [redacted]:8080
Accept-Encoding: identity

The same module can also be used to log all output, which may come in handy to debug errors on SSL servers, but I haven't had a need to use that function yet.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
1 comment(s)
My next class:

Comments

This is great info. Very detailed. Thanks for sharing!

Diary Archives