Linux – Log incoming requests on Ubuntu (ports 80, 443)

I would use tcpdump or ngrep, it would be nice to have the port on the switch connected to the web server mirrored, but in absence of that, you can run ngrep or tcpdump on the server itself.

You will need superuser access to run either of those programs.

You're going to want to read a bit, as you obviously know what you are looking for in the traffic, ngrep does allow you to select traffic by regex, which might allow you to pick out packets with better accuracy.

ngrep -l -q -d eth0 "^POST " tcp and port 80 -O dump.file

This would get you any HTTP data POSTed to port 80 on eth0. You might be able to pick out something much more specific. If you are going to be reading the traffic directly from the file, you might want to add -W byline as it makes the packets much more readable as it respects the line breaks, so you can see the packet written out more logically (for humans). -O dump.file will write the output of your packet capture to a file. The output can be as detailed as you'd like, to replay the packets, have a look at tcpreplay

Tomcat's AccessLogValve has the buffered configuration option which defaults to true, which means that if Tomcat crashes, you might lose the buffer's worth of logs. See http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Access_Log_Valve.

You might want to try and set buffered to false, which would then make the valve flush the log on every request, bearing in mind that this will probably affect overall performance.

Another option is to place e.g. an Apache reverse proxy in front of Tomcat (using mod_proxy, mod_jk, mod_ajp or mod_cluster) and have it do the request logging.