You could use Markers ( http://logging.apache.org/log4j/2.x/manual/markers.html ) to mark log events that may contain sensitive information:
logger.debug(MARKER_SECURITY_RISK, request.toString()); Then, in your log4j2.xml, you can use MarkerFilter ( http://logging.apache.org/log4j/2.x/manual/filters.html#MarkerFilter ) to ignore such log events or send then to a special file that the application has write-only access to, and which only admins can read. Would that work? On Wednesday, January 22, 2014, Saibabu Vallurupalli < saibabu.vallurupa...@gmail.com> wrote: > So, we wanted to inspect the message which is getting logged out to avoid > possible security issues. So, what exactly I am looking is If I wanted to > add a restriction on whats been logged. How can I achieve this? > > For example: log.info("user name"+username+"Password"+password); // This > is just an example if I see a message having password do not log it or take > some action. > > Please advise. > > Thank you, > Sai > > > On Tue, Jan 21, 2014 at 5:12 PM, Remko Popma > <remko.po...@gmail.com<javascript:_e({}, 'cvml', 'remko.po...@gmail.com');> > > wrote: > >> Sorry, but I have no idea what you mean by "neutralize out". >> What is currently happening and what would you like to happen instead? >> >> Sent from my iPhone >> >> > On 2014/01/22, at 6:29, Saibabu Vallurupalli < >> saibabu.vallurupa...@gmail.com <javascript:_e({}, 'cvml', >> 'saibabu.vallurupa...@gmail.com');>> wrote: >> > >> > Hi, >> > >> > I am working on an issue related to logging. I our application we are >> using log4j for logging and we detected our software doesn't neutralize out >> properly. Now, Is there any way without modifying the entire source by >> going through each and every class we can achieve this functionality of >> inspecting the message getting logged and take appropriate action. >> > >> > We appreciate your support. >> > >> > Thank you, >> > Sai >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> log4j-dev-unsubscr...@logging.apache.org<javascript:_e({}, 'cvml', >> 'log4j-dev-unsubscr...@logging.apache.org');> >> For additional commands, e-mail: >> log4j-dev-h...@logging.apache.org<javascript:_e({}, 'cvml', >> 'log4j-dev-h...@logging.apache.org');> >> >> >
