Does anyone know how I could get IIS to log POST data or the entire HTTP request?
Asked
Active
Viewed 6.5k times
44
-
[ModSecurity is available for IIS7+](https://www.modsecurity.org/download.html). It will allow full access to the header and body of both the request and response. – user2320464 Sep 02 '16 at 23:54
6 Answers
41
The IIS logs only record querystring and header information without any POST data.
If you're using IIS7, you can enabled Failed Request Tracing for status code 200. That will record all of the data and you can select which type of data to include.
In either IIS6 or 7, you can use Application_BeginRequest in global.asax and create your own logging of POST data.
Or, in IIS7, you can write a HTTP Module with your own custom logging.
Scott Forsyth
- 16,339
- 3
- 36
- 55
-
+1 - I like your answer far, far better than my own. I clearly need to read up on failed request tracing, since I obviously haven't used IIS7 as much as I should. – Evan Anderson Dec 04 '09 at 11:52
-
-
1The last step of the wizard when creating a FRT rule allows you to select which data to include. It defaults to including everything. – Scott Forsyth Aug 24 '12 at 19:24
-
I was looking for something for IIS6 but came across this link which shows advanced logging is an add-on option for IIS7. http://www.iis.net/learn/extensions/advanced-logging-module/advanced-logging-for-iis-custom-logging – andyknas Mar 30 '16 at 19:52
-
It doesn't appear (from that url Andyknas shared) that IIS "advanced logging" logs form posts. It offers an option for "client logging" , which would log posts of a particular sort, but not all form posts, which the OP seems to be requesting (and I was wondering about, myself.) – charlie arehart Feb 16 '19 at 00:17
-
Check the comments here on where to find the POST body in a Failed Request Tracing entry: https://stackoverflow.com/a/9089900/220230 – Piedone Feb 03 '20 at 15:20
-
10
In managed code you can use the Response.AppendToLog method. This method will append data to the cs-uri-stem field -- the total length is up to 4100 characters (undocumented). If you exceed that limit, then the value that would have been logged is replaced with "..."
For instance, adding something like this to your Global.asax file should do the trick (C#):
void Application_EndRequest(Object Sender, EventArgs e)
{
if( "POST" == Request.HttpMethod )
{
byte[] bytes = Request.BinaryRead(Request.TotalBytes);
string s = Encoding.UTF8.GetString(bytes);
if (!String.IsNullOrEmpty(s))
{
int QueryStringLength = 0;
if (0 < Request.QueryString.Count)
{
QueryStringLength = Request.ServerVariables["QUERY_STRING"].Length;
Response.AppendToLog( "&" );
}
if (4100 > ( QueryStringLength + s.Length ) )
{
Response.AppendToLog(s);
}
else
{
// append only the first 4090 the limit is a total of 4100 char.
Response.AppendToLog(s.Substring(0, ( 4090 - QueryStringLength )));
// indicate buffer exceeded
Response.AppendToLog("|||...|||");
// TODO: if s.Length >; 4000 then log to separate file
}
}
}
}
Geoffrey McGrath
- 101
- 1
- 2
-
1As of this comment, the limit is not 4100, it's 4KB which is 4096. So this code needs to be modified slightly to log POST data >4KB correctly. – Steven V Jan 29 '14 at 20:42
-
2I had to add HttpContext.Current.Request.InputStream.Position = 0; before request.BinaryRead, otherwise it would return empty array – alex440 May 14 '14 at 09:40
-
using Application_BeginRequest also works without having to set InputStream.Position=0 – Rocky Jun 18 '21 at 17:48
5
While I appreciate that this is an old question, I found this code gave me exactly what I needed, a text file with the complete request headers and the response, put it into your global.asax.cs:
protected void Application_BeginRequest(Object Sender, EventArgs e)
{
string uniqueid = DateTime.Now.Ticks.ToString();
string logfile = String.Format("C:\\path\\to\\folder\\requests\\{0}.txt", uniqueid);
Request.SaveAs(logfile, true);
}
This will create a text file for each and every request (including images) so be careful where you use it. I only used it to log specific post requests.
Terry Kernan
- 221
- 3
- 7
2
Try this in your web.config file to trace everything
<tracing>
<traceFailedRequests>
<remove path="*" />
<add path="*">
<traceAreas>
<add provider="ASP" verbosity="Verbose" />
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="ISAPI Extension" verbosity="Verbose" />
<add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket,Rewrite" verbosity="Verbose" />
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="200-999" />
</add>
</traceFailedRequests>
</tracing>
DeepSpace101
- 698
- 5
- 12
- 25
-
But note that the FRT feature implicitly limits the number of log files it creates (which is a good thing), so you would need to change that, either in the UI or via config file entries--and with due caution for the volume of logs that would be created in even a modest web app. – charlie arehart Feb 16 '19 at 00:19
0
This looks encouraging, though I have not yet tried it:
https://www.codeproject.com/Tips/1213108/HttpModule-for-Logging-HTTP-POST-Data-in-IIS-Log
How does this differ from the other option offered here, with code in the global.asax.cs? That would only work for ASP.NET page requests, not other pages IIS might process (php, cgi, jsp, cfml). The link I shared is to a module that one could enable in IIS for any site (or at the server level) to process for any type of request.
charlie arehart
- 195
- 2
- 9
-4
Try enabling the following in your IIS log settings:
Method (cs-method)
URI Stem (cs-uri-stem)
URI Query (cs-uri-query)
joeqwerty
- 108,377
- 6
- 80
- 171