While looking around the Apache module directory yesterday I came across the mod_log_forensic module. This module will log the request headers from each connection, which can be useful for investigating problematic connections and security incidents. To enable mod_log_forensic during the Apache configuration process, the “–enable-log_forensic=shared” option can be passed as an argument to the configure script:
$ configure --prefix=/tmp/apache --enable-mods-shared=most --enable-log_forensic=shared
To enable mod_log_forensic, the ForensicLog command needs to be added to indicate the location to log the request headers:
$ grep ForensicLog httpd.conf
ForensicLog logs/forensic_log
Once the forensic module is setup, each request to the server will generate a log entry similar to the following:
+q4ViwcCoAQMAAEqfC5MAAAAC|GET /apache_pb.gif
HTTP/1.1|Accept:*/*|Accept-Language:en|Accept-Encoding:gzip,
deflate|Referer:http%3a//192.168.1.3%3a8080/|User-Agent:Mozilla/5.0
(Macintosh; U; PPC Mac OS X; en) AppleWebKit/416.11 (KHTML, like Gecko)
Safari/416.12|Connection:keep-alive|Host:192.168.1.3%3a8080
-q4ViwcCoAQMAAEqfC5MAAAAC
The funny looking string of characters (the forensic id) is written before and after each request, and the headers are printed between the identifiers. This is nifty stuff!