Log POST data with ModSecurity

Sometimes you may need to log all POST requests to debug or make ModSecurity rules to protect Web Server. For this you need that you have ModSecurity installed on server.

Log POST data

This simple rule logging all POST request data to ModSecurity AuditLog.

SecRule REQUEST_METHOD "POST" \
"id:800000,phase:2,t:none,pass,nolog,auditlog,msg:'Malware.Expert - Log POST data'"

This cause lot of logging data to ModSecurity Audit Log file, which comes very big if you have lots of traffic to web server or it is a production server.

Log POST data from specific URL

If you don’t want to log all POST requests, you can log only from specific url.

SecRule REQUEST_METHOD "POST" \
"id:800000,phase:2,t:none,chain,pass,nolog,auditlog,msg:'Log WordPress admin-ajax.php data'"
SecRule REQUEST_URI    "/wp-admin/admin-ajax\.php"     "t:none"

What logging

ModSecurity Configuration you can choose, what data you want to AuditLog files. Read More in AuditLog

Commercial ModSecurity Rules

Read more about Malware Expert – ModSecurity rules and protect your web server vulnerabilities with Web Application Firewall. Here, you can find more ModSecurity Rule Examples.