是否可以在 apache 访问日志中排除指定的 GET 参数? [英] Is it possible to exclude specified GET parameters in apache access logs?

查看:21
本文介绍了是否可以在 apache 访问日志中排除指定的 GET 参数?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要在我的 apache 日志中排除一些敏感细节,但我想保留日志和 uri.是否可以在我的访问日志中实现以下目标:

I need to exclude some sensitive details in my apache log, but I want to keep the log and the uri's in it. Is it possible to achieve following in my access log:

127.0.0.1 - - [27/Feb/2012:13:18:12 +0100] "GET /api.php?param=secret HTTP/1.1" 200 7600 "http://localhost/api.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"

我想像这样用[过滤]"替换秘密":

I want to replace "secret" with "[FILTERED]" like this:

127.0.0.1 - - [27/Feb/2012:13:18:12 +0100] "GET /api.php?param=[FILTERED] HTTP/1.1" 200 7600 "http://localhost/api.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11"

我知道我可能应该使用 POST 来发送这个变量,但损坏已经造成.我看过 http://httpd.apache.org/docs/2.4/logs.html 和 LogFormat,但找不到任何使用正则表达式或类似的可能性.有什么建议吗?

I know I probably should have used POST to send this variable, but the damage is already done. I've looked at http://httpd.apache.org/docs/2.4/logs.html and LogFormat, but could not find any possibilities to use regular expression or similar. Any suggestions?

如果您可以选择,请勿将敏感变量作为 GET 参数发送.

Do NOT send sensitive variables as GET parameters if you have the possibility to choose.

推荐答案

我找到了解决问题的方法.如果我将日志输出通过管道传输到 sed,我可以在将输出附加到日志文件之前对输出执行正则表达式替换.

I've found one way to solve the problem. If I pipe the log output to sed, I can perform a regex replace on the output before I append it to the log file.

示例 1

CustomLog "|/bin/sed -E s/'param=[^& \t\n]*'/'param=\[FILTERED\]'/g >> /your/path/access.log" combined

示例 2

也可以排除几个参数:

exclude.sh

#!/bin/bash
while read x ; do
    result=$x
    for ARG in "$@"
    do
        cleanArg=`echo $ARG | sed -E 's|([^0-9a-zA-Z_])|\\\\\1|g'`
        result=`echo $result | sed -E s/$cleanArg'=[^& \t\n]*'/$cleanArg'=\[FILTERED\]'/g`
    done
    echo $result
done

将上面的脚本移动到文件夹/opt/scripts/或其他地方,赋予脚本执行权限(chmod +x exclude.sh)并像这样修改你的 apache 配置:

Move the script above to the folder /opt/scripts/ or somewhere else, give the script execute rights (chmod +x exclude.sh) and modify your apache config like this:

CustomLog "|/opt/scripts/exclude.sh param param1 param2 >> /your/path/access.log" combined

文档

http://httpd.apache.org/docs/2.4/logs.html#piped

http://www.gnu.org/software/sed/manual/sed.html

这篇关于是否可以在 apache 访问日志中排除指定的 GET 参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
服务器开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆