0

I'm trying to sanitise my apache logs of sensitive data as it's passed around in query string parameters. I'm aware this is not good, it cannot be changed.

Following from this question: https://stackoverflow.com/a/9473943/1046387

This is in my apache.conf

CustomLog "|/bin/sed -u -E s/'api_key=[^& \t\n]*'/'api_key=\[FILTERED\]'/g >> /var/log/apache2/access.log" combined

I've been getting this error:

AH00106: piped log program '/bin/sed -u -E s/'api_key=[^& \\t\\n]*'/'api_key=\\[FILTERED\\]'/g >> /var/log/apache2/access.log' failed unexpectedly
/bin/sed: -e expression #1, char 14: unterminated `s' command

Despite being able to run the command on the box directly:

$ echo "api_key=343" | /bin/sed -u -E s/'api_key=[^& \t\n]*'/'api_key=\[FILTERED\]'/g
api_key=[FILTERED]

Seems like apache isn't handing over the command to sed properly so it's missing some of the arguments. Some problem with escape sequences or something?

Harry
  • 2,429
  • 4
  • 21
  • 26
  • Can you test this one instead: ```sed -E 's/api_key=\w+/api_key=[FILTERED]/g'```? My guess is that those single quotes are causing you trouble. – accdias Nov 04 '19 at 11:38
  • I can see `/bin/sed: can't read >>: No such file or directory` in my logs – Harry Nov 04 '19 at 12:03
  • I'm pretty sure you did it right but I have to ask: did you try it as ```CustomLog "|/bin/sed -u -E 's/api_key=\w+/api_key=[FILTERED]/g' >> /var/log/apache2/access.log" combined```, right? – accdias Nov 04 '19 at 12:06
  • Yes exactly that – Harry Nov 04 '19 at 12:12
  • Alright. I'm going setup an Apache server to test it on my side. – accdias Nov 04 '19 at 12:27
  • But judging by the error message, it seems like ```sed``` is considering the redirection ```>>``` as the file name to process. It is strange but seems that way. It is just a guess but can you try replacing ```>>``` with ```- -- >>```? – accdias Nov 04 '19 at 12:30
  • using `- -- >>` removed the error but it doesn't look like the query string param is being filtered – Harry Nov 04 '19 at 12:40

0 Answers0