Apply a mask to IP with Logformat

Question

I need to apply a mask to IP in the log of Apache.

For example, I have this log : 192.168.234.111 - - [18/Oct/2013:16:29:40 +0200] "GET ........"

And I want to save that : 192.168.234.xxx - - [18/Oct/2013:16:29:40 +0200] "GET ........"

To do the first log, I'm using log format like this.

LogFormat "%h %l %u %t" combined-syslog2
CustomLog /var/log/toto combined-syslog2

To have the second log, I can pipe a perl/shell post script like that :

CustomLog |/usr/local/shl/apache_syslog2

But I'm not happy with this solution. Is it possible to do that with Apache ?

Thanks.

Eric

Answer 1

Here's the way to do it in Apache:

• Use a RewriteCondition which matches all IP addresses
• Store the partial IP address in a backreference
• Use a RewriteRule to store the partial IP plus xxx in an environment variable (e.g. VARNAME)
• Reference the environment variable in the LogFormat declaration via %{VARNAME}e

References

• Glossary - Apache HTTP Server
• RewriteFlags: CO

Answer 2

It can be even more simplified:

1. Just use SetEnvIf from module mod_setenvif to create an environment variable based on the Remote_Addr.
2. Use a regular expression to determine the part you want to mask.

3. Finally reference the variable (e.g. MASKED_IP_ADDR) in your LogFormat statement like so:

   SetEnvIf Remote_Addr "((?:\d{1,3}\.){3})\d{1,3}" MASKED_IP_ADDR=$1XXX
   LogFormat "%{MASKED_IP_ADDR}e %l %u %t" combined-syslog2
   

Of course, you could also go for a correct IP address regular expression:

^((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3})(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$

This one captures the first three octets so that the last one can be substituted by 'XXX'.