12

Currently, AWS ELB, both classic and application, do not log the body of POST requests. Neither does Cloudfront. Is it possible to get the full body of HTTP requests at this level above the instance?

xraymemory
  • 133
  • 1
  • 5
  • 1
    Please head over to CloudWatch to get events and full body of HTTP request to all API's of AWS. – Saif Ali Nov 14 '19 at 22:01
  • How do I find the ELB events in CloudWatch? Right now, when I enable logging for an ELB it goes to an S3 bucket. I'm just looking for a way to get the full request body of an HTTP request before it hits the application level in my network. The LB obviously gets the entire request but it just is not logging it – xraymemory Nov 14 '19 at 23:42
  • @saif An ELB end point is not the same as an API end point. Cloudwatch does not provide any ELB logging. – Rodrigo Murillo Nov 15 '19 at 02:40
  • I don't think that is possible via ELB not CloudWatch. There is no reference to post body request data in https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-log-entry-format – Rodrigo Murillo Nov 15 '19 at 03:03
  • kindly head towards https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html – Saif Ali Nov 15 '19 at 07:37

2 Answers2

0

You can't get access to full POST body in ELB logs, it's not really what the ELB logs are for. They are more around request counts and timings etc. Also, the body of a POST could contain all sorts of sensitive information - email, password, date of birth, address etc.

It's also fairly unusual that logs would contain this kind of information, it's generally captured by the request handling application.

If recording the request in your application isn't an option you could look at Traffic Mirroring - one of the use cases is content inspection. This will allow you to copy all traffic from the ELB ENI and send it to another application, e.g. a service running on an EC2 instance that writes the body to and S3 bucket.

Fermin
  • 34,961
  • 21
  • 83
  • 129
-2

You can inspect HTTP request contents via WAF, and block based on certain conditions. This occurs before the request reaches the application. See https://aws.amazon.com/about-aws/whats-new/2016/01/aws-waf-now-inspects-http-request-body-and-adds-size-constraint-condition/

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
  • 3
    Thank you Rodrigo. Does the WAF allow you to log the full requests for later analysis / playback or is it a strictly in-flight inspection? – xraymemory Nov 15 '19 at 17:34
  • 1
    AWS WAF does not currently log the request body. https://docs.aws.amazon.com/whitepapers/latest/guidelines-for-implementing-aws-waf/requirements.html#:~:text=AWS%20WAF%20does%20not%20currently%20log%20the%20request%20body. – N R Mar 26 '22 at 16:51