Monday, July 18, 2022

let Apache logging show source port for NAT444 forensic logging

With NAT444 / CGNAT, different users share one IPv4 address. So only logging the IPv4 address is not enough to find the specific user; you need to log the source port too. I guess legal intercept logging can then find the individual user.

So ... how do you let Apache webserver log the source IP address plus the source port? Answer: on Ubuntu, in the file /etc/apache2/apache2.conf, as root change the line

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

to

LogFormat "%h:%{remote}p %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined


So instead of only the remote IP address %h , the IP address plus the source port :%{remote}p is logged.


Example result from /var/log/apache2/access.log


18.12.12.65:63022 - - [18/Jul/2022:18:16:10 +0200] "GET /dump/ HTTP/1.1" 200 1571 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"


The source port is 63022