是否有可能排除Apache的访问日志指定GET参数？ [英] Is it possible to exclude specified GET parameters in apache access logs?

问题描述

我需要排除在我的Apache日志一些敏感的细节，但我想保留日志和URI的在里面。是否有可能实现我的访问日志如下：

I need to exclude some sensitive details in my apache log, but I want to keep the log and the uri's in it. Is it possible to achieve following in my access log:

127.0.0.1 - - [27/Feb/2012:13:18:12 +0100] "GET /api.php?param=secret HTTP/1.1" 200 7600 "http://localhost/api.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"

我要替换秘密和[FILTERED]是这样的：

I want to replace "secret" with "[FILTERED]" like this:

127.0.0.1 - - [27/Feb/2012:13:18:12 +0100] "GET /api.php?param=[FILTERED] HTTP/1.1" 200 7600 "http://localhost/api.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"

我知道，我也许应该用POST发送此变量，但损害已经造成。我看着 http://httpd.apache.org/docs/2.4/logs。 HTML 并LogFormat的，但找不到任何可能性，使用常规的前pression或相似。有什么建议？

I know I probably should have used POST to send this variable, but the damage is already done. I've looked at http://httpd.apache.org/docs/2.4/logs.html and LogFormat, but could not find any possibilities to use regular expression or similar. Any suggestions?

不要发送敏感的变量，如果你要选择的可能性GET参数。

Do NOT send sensitive variables as GET parameters if you have the possibility to choose.

推荐答案

我已经找到解决问题的方法之一。如果我管日志输出 SED ，我可以执行一个正则表达式对输出更换之前，我把它添加到日志文件。

I've found one way to solve the problem. If I pipe the log output to sed, I can perform a regex replace on the output before I append it to the log file.

示例1

CustomLog "|/bin/sed -E s/'param=[^& \t\n]*'/'param=\[FILTERED\]'/g >> /your/path/access.log" combined

例2

这也是可以排除的几个参数：

It's also possible to exclude several parameters:

exclude.sh

#!/bin/bash
while read x ; do
    result=$x
    for ARG in "$@"
    do
        cleanArg=`echo $ARG | sed -E 's|([^0-9a-zA-Z_])|\\\\\1|g'`
        result=`echo $result | sed -E s/$cleanArg'=[^& \t\n]*'/$cleanArg'=\[FILTERED\]'/g`
    done
    echo $result
done

以上移动到文件夹的/ opt /脚本别的/或其他地方，给脚本执行权限的脚本（搭配chmod + X exclude.sh ），并修改Apache配置像这样的：

Move the script above to the folder /opt/scripts/ or somewhere else, give the script execute rights (chmod +x exclude.sh) and modify your apache config like this:

CustomLog "|/opt/scripts/exclude.sh param param1 param2 >> /your/path/access.log" combined

文档

http://httpd.apache.org/docs/2.4/logs。 HTML＃管道

http://www.gnu.org/software/sed/manual/ sed.html

这篇关于是否有可能排除Apache的访问日志指定GET参数？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！