I require access logs enabled, but for compliance reasons, cannot log a sensitive GET request parameter's data in the access logs. While I know, I could parse the logs (after-the-fact) and sanitize them, this is not an acceptable solution -- because for compliance reasons logs can't be tampered with.

I tried setting if statement in Location directive
if ($request_uri~ (.)password=[^&](.*)) { set $request_uri$1password=XXXXX$2; }

but here i read that 'if' is not safe in Location.
https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/

can you suggest alternative, may be in server directive

https://www.bjornjohansen.no/exclude-requests-from-nginx-access-log

---
nginx for Windows http://nginx-win.ecsds.eu/

Thanks for the reply. But i dont want to exclude these entries in log but wanted to mask the values of these credential parameters from the request.