Ability to log request headers in API Gateway access logs


It appears it is not possible to log request headers in API Gateway access logs? This would be very useful as the current sourceIp ($context.identity.sourceIp) included in access logs is not always accurate.

For example; When behind CloudFlare DNS, CloudFlare passes the source IP address as a header called "cf-connecting-ip" and the originating sourceIp logged in CloudWatch from these requests is a CloudFlare IP address. This makes it very difficult to traverse/filter access logs in CloudWatch for a specific IP address and as far as I'm aware there is no other workaround other than to log the IP address from the underlying Lambda or employ execution logs, which are not the same. This scenario makes CloudWatch access logging for API Gateway unfeasible.

Is there somewhere we can request this feature?

1 Answer

You could try enabling a WAF (Web Application Firewall) WebACL for your API Gateway and enabling logging for the WebACL. It doesn't need to block any traffic, but this should give you the detailed logs WAF produces that include HTTP headers. The list of fields included in WAF logs is here: https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html

Instructions for using WAF with the API Gateway start on this documentation page: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html

Leo K
answered 21 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions