mask passwords in apache access logs with mod_lua

log_mask.lua

-- apache's %r log field (request line) is read only, we can't fix data in there,
-- so you need to change your LogFormat with '%m %U%q %H' instead of '%r' to get this masking effect
function log_mask_password(r)
  -- manually parse request line, needed to overwrite r.uri to mimick apache's %r percent-encoding in %U for non-latin chars
  local url = r.the_request:match"^%S+%s(.+)%sHTTP/[%d.]+$" -- ex.: GET /foo?bar=1 HTTP/1.1

  -- in case of malformed http request, use apache's uri variant
  if not url then
    url = r.uri
  end

  -- remove query string from the extracted url and overwrite r.uri
  r.uri = string.gsub(url, "%?.*", "")

  -- mask password= param values in query string
  if r.args then
    r.args = r.args:gsub("([pP][aA][sS][sS][wW][oO][rR][dD])=[^&=]*(&?)", "%1=XXX%2")
  end
  return apache2.OK
end

1. put log_mask.lua to /etc/apache2/
2. enable mod_lua in apache with a2enmod lua
3. set up lua log hook somewhere in your config

<IfModule lua_module>
    LuaHookLog /etc/apache2/log_mask.lua log_mask_password
</IfModule>

4. fix your LogFormat to use %m %U%q %H instead of %r. e.g.:
   LogFormat "%a %l %u %t \"%m %U%q %H\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

Don't forget to fix all your other log formats too, if you have them!