Overview
This article covers how to configure Apache to log the HTTP fields necessary for applications handling university data. The following configuration guideline meets the requirements for IT Standards.
By default, Apache does not log all information necessary for security monitoring and investigation, such as the X-Forwarded-For header and remote client port. The steps below configure Apache to include this information.
For configurations not behind a load balancer, the X-Forwarded-For header may be omitted.
Configuration
Apache custom log formats are defined in /etc/apache2/apache2.conf. Each website served by the Apache webserver can then specify a custom log format in the site specific configuration at /etc/apache2/sites-enabled/<site name>.conf.
A log format defines what information to log from each HTTP request. A log format definition in apache2.conf is one line and looks like: LogFormat "<percent codes for data to log>" <custom log name>.
Step 1
Open /etc/apache2/apache2.conf and add a new log format line:
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %{X-Forwarded-For}i %I" ui-format
Each percent sign and character combination represents one datapoint from an HTTP request. For example, %h is remote host and %{X-Forwarded-For} is the value of X-Forwarded-For HTTP header, if present in the request. A full list of Apache percent codes can be found at http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats.
Step 2
Once defined in apache2.conf, open your site configuration file. For example, to modify the default Apache site's logging behaviour:
sudo nano /etc/apache2/sites-enabled/000-default.conf.
For each <VirtualHost> element, find the CustomLog line. This line controls how the site logs each http request. Modify it to refer to the log format we just created:
CustomLog ${APACHE_LOG_DIR}/access.log ui-format
If the line did not exist, create it.
Step 3
Restart Apache web server. The access logs should now start logging the information defined by ui-highrisk-format.