遮蔽访问日志和活动报表以确保符合隐私法

使用本节中的脚本可自动遮蔽活动报表或访问日志中的信息以确保符合隐私法,并通过电子邮件将报表发送至收件人(可选)。

由于某些国家/地区的隐私法较严格,活动报表和访问日志中可用的信息可能必须对服务管理员隐藏以保护用户的隐私。

可以使用 anonymizeData.bat 遮蔽活动报表或访问日志中的信息以确保符合隐私法,并通过电子邮件发送报表(可选)。要遮蔽信息,请使用 Windows 计划程序调度此脚本或其变体,让它每日在每个环境的日常维护流程完成后很快运行。

使用以下信息源:

通过复制以下过程中提供的 Windows 脚本并使用 Windows 计划程序调度该脚本来手动创建 anonymizeData.bat。如果不想使用 Windows 进行调度,也可以创建和运行适合平台的类似脚本。

anonymizeData.bat 是一种包装器脚本,可以执行 anonymizeData.ps1 脚本,您可以按照以下过程中的说明创建并更新该脚本。

如果密码中包含特殊字符,请参阅“处理特殊字符

  1. 创建一个名为 anonymizeData.bat 的批处理 (BAT) 文件,在其中包含以下脚本,并将它保存到一个方便的位置,例如 C:\automate_scripts 
    @echo off
set paramRequiredMessage=Syntax: anonymizeData.bat USERNAME PASSWORD/PASSWORD_FILE URL [EMAIL_TO_ADDRESS]

if "%~1" == "" (
  echo User Name is missing.
  echo %paramRequiredMessage%
  exit /b 1
  )
if "%~2" == "" (
  echo Password or Password_File is missing.
  echo %paramRequiredMessage%
  exit /b 1
  )
if "%~3" == "" (
  echo URL is missing.
  echo %paramRequiredMessage%
  exit /b 1
  )

PowerShell.exe -File anonymizeData.ps1 %*
  2. 创建一个名为 anonymizeData.ps1 的 PowerShell 脚本 (PS1) 文件,在其中包含以下脚本,并将它保存到一个方便的位置,例如 C:\automate_scripts 
    # Anonymize data script

$username=$args[0]
$password=$args[1]
$url=$args[2]
$emailtoaddress=$args[3]

# Generic variables
$date=$(get-date -f dd_MM_yy_HH_mm_ss)
$datedefaultformat=$(get-date)
$logdir="./logs/"
$logfile="$logdir/anonymize-data-" + $date + ".log"
$filelist="filelist.txt"

function LogMessage
{
  $message=$args[0]

  echo "$message" >> $logfile
}

function EchoAndLogMessage
{
  $message=$args[0]

  echo "$message"
  echo "$message" >> $logfile
}
function Init
{
   $logdirexists=Test-Path $logdir
   if (!($logdirexists)) {
       mkdir $logdir 2>&1 | out-null
    }

   $logfileexists=Test-Path $logfile
   if ($logfileexists) {
       rm $logfile 2>&1 | out-null
    }

   $filelistexists=Test-Path $filelist
   if ($filelistexists) {
       rm $filelist 2>&1 | out-null
    }
}

function ProcessCommand
{
   $op=$args
   echo "EPM Automate operation: epmautomate.bat $op" >> $logfile
   if ($op -eq 'listfiles') {
      epmautomate.bat $op | where {$_ -like ' apr/*/access_log.zip'} | Tee-Object -FilePath $filelist | Out-File $logfile -Append 2>&1
    } else {
      epmautomate.bat $op >> $logfile 2>&1
        if ($LASTEXITCODE -ne 0) {
           echo "EPM Automate operation failed: epmautomate.bat $op. See $logfile for details."
           #exit
           }
    }
}

function RunEpmAutomateCommands
{
    EchoAndLogMessage "Running EPM Automate commands to anonymize data in the access logs and activity reports."
    ProcessCommand login $username $password $url
    ProcessCommand listfiles
    ProcessFiles
    ProcessCommand logout
}

function ProcessActivityReport
{
    $activityreport=$args[0]
    $user=$args[1]

    $activityreportexists=Test-Path "$activityreport"
    if ($activityreportexists) {
        LogMessage "Removing User ID: $user from activity report $activityreport"
        (Get-Content "$activityreport").replace("$user", 'XXXXX') | Set-Content "$activityreport"
        $txt = [io.file]::ReadAllText("$activityreport") -replace "`r`n","`n"
        [io.file]::WriteAllText("$activityreport", $txt)
        #Get-ChildItem -File -Recurse | % { $x = get-content -raw -path $activityreport; $x -replace "`r`n","`n" | set-content -path $activityreport }
    }
}

function AnonymizeData
{
    $aprdir=$args[0]
    $datestampdir=$args[1]
    $path="$aprdir/$datestampdir"
    $accesslogzipped="access_log.zip"
    $accesslog="access_log.csv"
    $accesslogupdated=$accesslog + ".tmp"
    $activityreportfile="$datestampdir" + ".html"
    $userArray = @()

    expand-Archive -Path "$path/$accesslogzipped" -DestinationPath $path
    rm $path/$accesslogzipped 2>&1 | out-null
    $accesslogexists=Test-Path "$path/$accesslog"
    if ($accesslogexists) {
        EchoAndLogMessage "Processing access log: $path/$accesslog"
        Get-Content $path/$accesslog | ForEach-Object {
            $elements=[regex]::Split( $_ , ',(?=(?:[^"]|"[^"]*")*$)' )
            $date=$elements[0]
            $time=$elements[1]
            $uri=$elements[2]
            $duration=$elements[3]
            $bytes=$elements[4]
            $ip=$elements[5]
            $user=$elements[6]
            $screen=$elements[7]
            $action=$elements[8]
            $object=$elements[9]
            if ($date -like 'Date') {
                echo "$_" >> $path/$accesslogupdated
            } else {
                if ($user -notlike '-') {
                    LogMessage "Removing instance of User ID: $user from $path/$accesslog."
                    echo "$date,$time,$uri,$duration,$bytes,$ip,XXXXX,$screen,$action,$object" >> $path/$accesslogupdated
                    $userArray += $user
                } else {
                    echo "$date,$time,$uri,$duration,$bytes,$ip,$user,$screen,$action,$object" >> $path/$accesslogupdated
                }
            }
        }
        #Get-ChildItem -File -Recurse | % { $x = get-content -raw -path $path/$accesslogupdated; $x -replace "`r`n","`n" | set-content -path $path/$accesslogupdated }
        $txt = [io.file]::ReadAllText("$path/$accesslogupdated") -replace "`r`n","`n"
        [io.file]::WriteAllText("$path/$accesslogupdated", $txt)
        mv -Force $path/$accesslogupdated $path/$accesslog
        Compress-Archive -Path $path/$accesslog $path/$accesslogzipped
        rm $path/$accesslog 2>&1 | out-null
    }

    EchoAndLogMessage "Processing activity report: $path/$activityreportfile"
    $userArray = $userArray | Select-Object -Unique
    foreach ($element in $userArray) {
        ProcessActivityReport "$path/$activityreportfile" "$element"            
    }
}

function ProcessFiles
{
    # Loop through iteration csv file and parse
    Get-Content $filelist | ForEach-Object {
        $fullpath=$_.trim()
        $elements=$fullpath.split('/')
        $aprdir=$elements[0]
        $datestampdir=$elements[1]
        $accesslogfile="access_log.zip"
        $activityreportfile="$datestampdir" + ".html"
        $datestampdirexists=Test-Path "$aprdir/$datestampdir"
        $accesslog="$aprdir/$datestampdir/$accesslogfile"
        $activityreport="$aprdir/$datestampdir/$activityreportfile"

        echo "fullpath: $fullpath" >> $logfile
        echo "aprdir: $aprdir, datestampdir: $datestampdir" >> $logfile
        if (!($datestampdirexists)) {
            mkdir "$aprdir/$datestampdir" -ea 0 2>&1 | out-null
            ProcessCommand downloadfile "$accesslog"
            ProcessCommand downloadfile "$activityreport"
            mv "$accesslogfile" "$aprdir/$datestampdir"
            mv "$activityreportfile" "$aprdir/$datestampdir"
            AnonymizeData "$aprdir" "$datestampdir"
            ProcessCommand deletefile "$accesslog"
            ProcessCommand deletefile "$activityreport"
            ProcessCommand uploadfile "$accesslog" "$aprdir/$datestampdir"
            ProcessCommand uploadfile "$activityreport" "$aprdir/$datestampdir"
        } else {
            EchoAndLogMessage "Files in directory $aprdir/$datestampdir were processed earlier. Skipping these files."
        }
    }
}

function callSendMail
{
    $elements=$logfile.split('/')
    $logfilename=$elements[3]

    if (${emailtoaddress} -match "@") {
        epmautomate.bat login ${username} ${password} ${url}
        epmautomate.bat uploadFile "$logfile"
        epmautomate.bat sendMail $emailtoaddress "Mask Access Logs and Activity Reports results" Body="The results of running the Mask Access Logs and Activity Reports script are attached." Attachments=$logfilename
        epmautomate.bat deleteFile "$logfilename"
        epmautomate.bat logout
    }
}

Init
EchoAndLogMessage "Starting the anonymize data script"
RunEpmAutomateCommands
EchoAndLogMessage "Anonymize data script completed"
EchoAndLogMessage "Refer to logfile: $logfile for details."
callSendMail
  3. 使用 Windows 计划程序调度 anonymizeData.bat。有关详细步骤,请参阅“自动执行脚本”。
    您需要提供以下参数值以执行 anonymizeData.bat
    • 服务管理员的用户名
    • 服务管理员的密码或提供加密密码文件的位置
    • 必须遮蔽访问日志和活动报表的服务环境的 URL
    • 可选: 要将报表发送到的电子邮件地址。仅当指定此值时,才会通过电子邮件发送报表。