Project

General

Profile

Actions

Architecture #14015

open

We don't have a way to log all input request of webapp

Added by François ARMAND almost 6 years ago. Updated 15 days ago.

Status:
New
Priority:
N/A
Assignee:
-
Category:
System integration
Target version:
Effort required:
Name check:
Fix check:
Regression:

Description

We absolutly need to be able to log input request to rudder webapp (ie at jetty level), with POST details level, at least for REST API.

Actually, we need to be able to tell:

- log all input request with timing (we have that one: net.liftweb.util.TimeHelpers at info level)
- log some input request full level (headers, params, body), specifying a path or regex (ex: /api/latests/nodes/pending/xxxxx)

We may skip 4.1 for that, but at least 4.3 is a must have to allows debugging of real prod problems.

A workaround for debuging, at apache level is to use mod_security with the following configuration:


# /etc/httpd/conf.d/rudder.conf

<VirtualHost *:443>
.... existing configuration ....

  # enable security log audit
  SecRuleEngine DetectionOnly
  SecAuditEngine RelevantOnly

  # Setup logging in a dedicated file for Rudder
  SecAuditLog /var/log/rudder/apache2/rest-debug.log
  # Allow it to access requests body - we need to explore POST
  SecRequestBodyAccess on
  # part of the request relevant to us, see:
  # https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecAuditLogParts
  SecAuditLogParts ABIFHZ

  # Setup default action: log nothing
  SecDefaultAction "nolog,noauditlog,phase:1,allow" 

  # Define the rule that will log for ex requests on REST API for pending nodes
  SecRule REQUEST_URI ".*/api/latest/nodes/pending.*" "auditlog,phase:1,allow,id:42" 

</VirtualHost>

Actions

Also available in: Atom PDF