How to anonymize IP address in log files on Plesk?

Follow

Comments

22 comments

  • Avatar
    froggift (Edited )

    Will this also include old gz logs? And also Mail logs not only nginx & apache...

    And will this work with Fail2Ban?

    It would be perfect if we could set the time after which all ip adresses should be anonymized. Even with GDPR it's no problem to store the ip adress for about 7 days for security reasons...

  • Avatar
    Fabian Meyer

    I have updated today. I have the checkbox "Anonymize IPs during log rotation" activated. But its not working: I still see the IPs in the log protocol of the domain. What am I doing wrong?

    Sry for my bad english and greetings from germany!
    Fabian

  • Avatar
    Martin

    This is a nice feature to have available for server admins, thanks for implementing. One question I have: Does anonymization of IP addresses when the log are rotated affect other services, for instance the way that Fail2Ban operates?

    If Fail2Ban blocks IP addresses prior to log rotation (i.e. IP anonymization) and also does not process rotated log files, then I do not see there being any conflict.

    Many thanks in advance for any clarification.

  • Avatar
    Peter Debik

    Script execution fails:

    [root@<machine> <machine>]# ./enable-ip-anonimization.sh
    ./enable-ip-anonimization.sh: line 1: syntax error near unexpected token `<'
    ./enable-ip-anonimization.sh: line 1: `<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><title>Source of enable-ip-anonimization.sh - force-log-rotation - Plesk Bitbucket</title><script>'

  • Avatar
    Ivan Postnikov (Edited )

    Hello @Peter, thank you for noticing.

    The script will be replaced with the correct one soon.

  • Avatar
    Peter Debik

    The anonymizing function on 17.5 and 17.8 does not work correctly either. After activating it yesterday, it did not anonymize the latest log entries during the nightly log file rotation, but it removed all former log file archives and did not create a new one from yesterday's logs, leaving access_log and access_log.processed for example with the full ip addresses and removed all access_log.processed.?.gz files.

  • Avatar
    Ivan Postnikov

    Hello @Martin and @froggift!

    This feature works with file2ban. IP addresses are blocked prior to log rotation. The corresponding information will be added to this article.

    > Will this also include old gz logs? And also Mail logs not only nginx & apache...

    Yes, .gz and maillogs are also included

  • Avatar
    Ivan Postnikov

    Hello @Peter and @Fabian, have you tried the solution from this article?

    In case it does not help, please create a support request (ticket) and Plesk Technical Support will check the issue further.

  • Avatar
    Lenor

    Hi, 

    thx for great feature. 

    Why would i need this script, if I am able to activated this in Backend anyways? 

  • Avatar
    Denis Bykov

    @Lenor
    Indeed, it is possible to perform the same manually. The script is just more convenient and easy, especially for a less tech-savvy person.
    Basically, three following commands will do the work:

    # plesk bin settings -s logrotate_anonymize_ips=true
    # plesk sbin logrot_mng --system-logs --anonymize-ip=true
    # for i in `plesk db -se "select domains.name from domains left join dom_param on domains.id=dom_param.dom_id left join log_rotation on dom_param.val=log_rotation.id where domains.htype='vrt_hst' and dom_param.param='logrotation_id' and log_rotation.turned_on='true'"`; do plesk bin domain --update $i -log-rotate true; done
  • Avatar
    pm

    Is there also a solution for Plesk 12.5.30?

  • Avatar
    Peter Debik

    We are seeing the same "not working" situation on all servers, two of them being a 17.8 installation. One of which is a new installation, the other one is an upgraded system done by Plesk staff. It believe that at least the installation done by Plesk itself should work, but in this case it does not.

    On both of them logs are rotated daily but no longer archived as a .gz archive file. The solution from https://support.plesk.com/hc/en-us/articles/360004925094-IP-address-anonymization-in-logs-does-not-work-last-octet-is-not-replaced does not help, because it does not target the issue. The issue is not that the anonymization does not take place, the issue is that the archives are missing in general, so that we cannot even test if the anonymization takes place. Every log is now only stored for one day and deleted afterwards. It only goes into the *.processed file, and that "processed" log file covers the time period between previous log rotation and current.

    I feel uncomfortable that I ought to buy extra support for figuring this out, because it is evident that it is a software bug. What other options are there?

  • Avatar
    Sascha Henken

    Why do you only anonymize during log rotation? The live logging should also be stripped by the last octet as well. I´m not 100% sure if the current behaviour is GDPR compliant. Would be nice to have such an extended option as well.

  • Avatar
    Ivan Postnikov

    @Peter, it seems that investigation is required to find the root cause.

    I have created a support request for it. 

  • Avatar
    Ivan Postnikov

    Hello @pm, the following solution is available Plesk 12.5:

    1. Login to Plesk via SSH

    2. Download the script:

    # wget https://support.plesk.com/hc/en-us/article_attachments/360006368973/enable-ip-anonimization.sh.tar.gz

    3. Unpack it and make executable:

    # tar -xvf enable-ip-anonimization.sh.tar.gz && chmod +x enable-ip-anonimization.sh

    4. Execute the script:

    # enable-ip-anonimization.sh

  • Avatar
    pm

    Hi, this solution doesn't work in 12.5

    # ./enable-ip-anonimization.sh
    This server doesn't support IP anonimization feature

    # plesk version
    Product version: 12.5.30 Update #76
    Update date: 2018/05/17 23:26
    Build date: 2016/06/08 10:00
    OS version: CentOS 6.9
    Revision: 344620
    Architecture: 64-bit
    Wrapper version: 1.2

  • Avatar
    Ivan Postnikov

    Hello @pm,

    Please, accept my sincere apologies for the incorrect information you have received.

    The feature is not yet implemented for Plesk 12.5.

    The quickest way to solve the issue is to upgrade to Plesk Onyx.

  • Avatar
    Lenor

    we have activated and got some Error aswell, next day. 

  • Avatar
    Ivan Postnikov

    Hello @Sascha Henken,

    With accordance to Recital 49 of GDPR non-anonymized IPs may be safely stored for some period for security reasons. 

    If maximum safety is required, logrotate may be set up to remove rotated log daily. 

  • Avatar
    Ivan Postnikov

    Hello @Lenor,

    could you, please, share what was the error?

  • Avatar
    Mike

    Please do this also for live logs!

  • Avatar
    Artyom Volov

    Hello @Mike,

    thank you for suggesting this functionality, a feature request was created:

    https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/34789210-anonymize-current-log-files-not-only-rotated-ones

    Please vote for it on UserVoice in order for it to be implemented.

Please sign in to leave a comment.

Have more questions? Submit a request