Jump to content


Masking sensitive data in access logs


  • Please log in to reply
3 replies to this topic

#1 David Parker

David Parker
  • Members
  • 14 posts

Posted 10 March 2020 - 10:21 PM



We have a 440 ADC load balancer running firmware  We recently discovered that POST data is shown in the access logs, including sensitive information such as login credentials and passwords.  I would like to mask or remove this information from the logging, but can't figure out how.  I found this page:




But it says to click on SECURITY and I do not see that option anywhere in any of the tabs.  Can anyone point me in the right direction here?



#2 Aravindan Anandan

Aravindan Anandan
  • Barracuda Team Members
  • 87 posts

Posted 10 March 2020 - 11:55 PM

This option is part of the security module on the ADC product which is only available from 540 model onwards. You may choose to either upgrade your system to the 540 model, or deploy a Barracuda WAF instance which can provide you with the same functionality.

#3 David Parker

David Parker
  • Members
  • 14 posts

Posted 11 March 2020 - 02:05 PM

So there's no way to hide sensitive data on the 440?  Hiding this kind of information in the logs seems like a necessity.  It shouldn't be a feature that you need to upgrade to get.

#4 David Parker

David Parker
  • Members
  • 14 posts

Posted 04 May 2020 - 12:51 PM

Just to follow up on this, we found a workaround that may help others.  If the page is submitting data to itself, then using action="?" in the form will cause the variables to pass through without getting logged by the load balancer.


So, using PHP as an example, something like this:

<form method="post" action="<?=$_SERVER['PHP_SELF'];?>">

Can be rewritten as this:

<form method="post" action="?">

We stumbled upon this when we realized that some of our forms were not having the variables logged, and it turned out they were all using this syntax for the form action.