Apache by default logs the HTTP request method but not the request data itself. This is especially inadequate when troubleshooting POST requests as the details required are in the data that was sent with the request. These are some of the methods available to log POST request data in Apache.

mod_dumpio is included by default in most Apache installations and could easily be configured as the followings;

1. Enable dump_io module .

   $ sudo a2enmod dump_io

   The method could be different if you're not using Ubuntu or other Debian based Linux distribution.

2. Put the logs in specific files to ease reading.

   CustomLog /var/log/httpd/website.log combined
   ErrorLog /var/log/httpd/website.error.log

3. Enable debug logging.

   LogLevel debug

4. Enable the module.

   DumpIOInput On
   DumpIOOutput On
   LogLevel dumpio:trace7

1. Enable the module.

   SecRuleEngine On
   SecAuditEngine on

2. Setup logging in a dedicated file.

   SecAuditLog /var/log/httpd/website-audit.log

3. Allow it to access requests body.

   SecRequestBodyAccess on
   SecAuditLogParts ABIFHZ

4. Setup default action.

   SecDefaultAction "nolog,noauditlog,allow,phase:2"

5. Define the rule that will log the content of POST requests.

   SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,id:123"
   SecRule REQUEST_URI ".*" "auditlog"

Some POST request could be very big and take up too much space to log. Sensitive data that are sent in POST requests such as passwords or credit card information should not reside in log files. In these instances, you'll have to whether choose what POST data to log, or not log at all.

While this is not an Apache specific solution, the best way to do it is to log POST request data via your application. It's very flexible and you have granular control of what to log and what not to log. The caveat is that you'll have to code it and could be a bit of an extra work.