Preventing an Apache 2 Server from Logging Sensitive Data

You can mask the passwords before they end up in access.log by combining a CustomLog directive with a bit of sed magic (as instructed in https://stackoverflow.com/a/9473943/102170):

This would replace every occurrence of password=secret with password=[FILTERED] in /your/path/access.log:

CustomLog "|/bin/sed -u -E s/'param=[^& \t\n]*'/'param=\[FILTERED\]'/g >> /your/path/access.log" combined

That being said, it would be best to avoid putting sensitive data in the query strings if possible.

Apache 2 by default logs the entire request URI including query string of every request.

What is a straight forward way to prevent an Apache 2 web server from logging sensitive data, for example passwords, credit card numbers, etc., but still log the rest of the request?

Am I reading right, that you are sending sensitive information in URI as QueryString ? I would suggest changing the application so it does do so in the first place.

Then, there would be no requirement to change apache, since, it does not do any such thing by default.

You read up on the difference between GET and POST and rewrite your applications to stop putting passwords and info in GET parameters.