We have extensive metrics and logging for request URLs and headers, but substantially less for the bodies, which is particularly important for POST requests. POST payloads for API requests are available (sampled and redacted) in api.log, but we're comparatively blind for POSTs to /w/index.php -- they all look the same regardless of action and other parameters.
In certain incident situations, including for example DOS attacks where the attack traffic is non-API POST requests, a sampled and redacted log of POST data in Logstash would make troubleshooting much easier.
- /w/index.php
- rest.php