Can iRule mask the payload content on event logs of security

Try this article:

Irule Check payload contains | DevCentral

https://f5-agility-labs-irules.readthedocs.io/en/latest/class2/module1/lab4.html

https://clouddocs.f5.com/api/irules/HTTP__payload.html

Use

HTTP::payload replace <offset> <length> <string>

HTTP::payload replace¶

• Replaces the amount of content that you specified with the argument, starting at with , adjusting the Content-Length header appropriately.
• To clarify, the length argument should be the length of original content to replace. In order to replace the entire payload, the offset should be 0 and the length should be the original size in bytes of the payload.
• Note that the argument will be interpreted as a byte array. If it is actually a UTF-8 string with multibyte characters, the output will not be what you expect. In order to prepare a UTF-8 string for use as input to HTTP::payload replace, you should first run ‘binary scan c* throwawayvariable’.
• Note: This function is callable, but will not work as expected in the HTTP_REQUEST_SEND event

Examples¶

when HTTP_RESPONSE { if {[HTTP::status] == 205}{ HTTP::collect [HTTP::header Content-Length] set clen [HTTP::header Content-Length] } } when HTTP_RESPONSE_DATA { HTTP::respond 200 content [HTTP::payload] } when HTTP_RESPONSE_DATA { regsub -all "oursite" [HTTP::payload] "oursitedev" newdata log "Replacing payload with new data." HTTP::payload replace 0 $clen $newdata HTTP::release }