0

How can one remove from the access_logs certains rows that include sensitive informations. The information is supplied via POST and is send in the $request_body

Following ways have failed:

1>

log_format filter             '[$time_iso8601] $remote_addr "$request" $status $body_bytes_sent $upstream_response_time "$http_referer" "$http_user_agent" $request_body';

      set $temp $request;
      if ($temp ~* '{\\x22username\\x22:\\x22*.*\\x22,\\x22password\\x22:\\*.*\\x22}') {
          set $temp $1password:****$2;
      }

      access_log /var/log/nginx/access_kibana.log filter if=$request;
      proxy_pass http://kibana;

RESULT: nothing happened, sensitive data still in the access_log

2>

   set $sensitive $request;
      if ($sensitive ~ ("password")) {
           set $sensitive $1test:test$2;
      }
      access_log /var/log/nginx/access_kibana.log filter if=$request;
      proxy_pass http://kibana;

This traditional method was probably working in the past, but in my case it doesn't

3> Works. but removes completely all $request_body logs..

if ($sensitive ~ ("password")) {
           set $loggable 0;
      }

Does anybody have some documentation/experience in solving this? Hope to be able to get schooled in this. Thanks you in advance

1 Answers1

0

Before you guys jump in with the professional advices, I'll share the resolution.

Log entry in access logs was looking like this:

2018-02-27T06:56:10-08:00] 10.10.10.10 - "POST /api/security/v1/login HTTP/1.1" 200 0 0.012 "http://10.10.10.10/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0" {\x22username\x22:\x22user\x22,\x22}

In order to remove just this entry from the access logs, we have to search for the POST entry that contains api security login and version and set it up inside the location configuration. 

 if ($request ~ "POST \/api\/security\/v1\/login HTTP\/{1,9}.{1,9}") {
    set $loggable 0;
  }

Thanks for the help anyway