You would define a marker once, and use that marker when you are logging information that is potentially sensitive.
So yes, this solution assumes that the application knows where sensitive information may enter the system. If you don't know that or don't like this approach for other reasons, your only alternative (that I can think of) is to identify patterns in your log output and replace those patterns with noise (or encrypted data if you want to get fancy :-)). Perhaps the RewriteAppender can help there. Sent from my iPhone > On 2014/01/22, at 9:08, Saibabu Vallurupalli <saibabu.vallurupa...@gmail.com> > wrote: > > Remko, > > To implement this I think I need to modify all my Java classes to define > Marker? Is my understanding correct? > > Thank you, > Sai > > > >> On Tue, Jan 21, 2014 at 6:57 PM, Remko Popma <remko.po...@gmail.com> wrote: >> You could use Markers >> (http://logging.apache.org/log4j/2.x/manual/markers.html ) to mark log >> events that may contain sensitive information: >> >> logger.debug(MARKER_SECURITY_RISK, request.toString()); >> >> Then, in your log4j2.xml, you can use MarkerFilter >> (http://logging.apache.org/log4j/2.x/manual/filters.html#MarkerFilter ) to >> ignore such log events or send then to a special file that the application >> has write-only access to, and which only admins can read. >> >> Would that work? >> >> >>> On Wednesday, January 22, 2014, Saibabu Vallurupalli >>> <saibabu.vallurupa...@gmail.com> wrote: >>> So, we wanted to inspect the message which is getting logged out to avoid >>> possible security issues. So, what exactly I am looking is If I wanted to >>> add a restriction on whats been logged. How can I achieve this? >>> >>> For example: log.info("user name"+username+"Password"+password); // This is >>> just an example if I see a message having password do not log it or take >>> some action. >>> >>> Please advise. >>> >>> Thank you, >>> Sai >>> >>> >>>> On Tue, Jan 21, 2014 at 5:12 PM, Remko Popma <remko.po...@gmail.com> wrote: >>>> Sorry, but I have no idea what you mean by "neutralize out". >>>> What is currently happening and what would you like to happen instead? >>>> >>>> Sent from my iPhone >>>> >>>> > On 2014/01/22, at 6:29, Saibabu Vallurupalli >>>> > <saibabu.vallurupa...@gmail.com> wrote: >>>> > >>>> > Hi, >>>> > >>>> > I am working on an issue related to logging. I our application we are >>>> > using log4j for logging and we detected our software doesn't neutralize >>>> > out properly. Now, Is there any way without modifying the entire source >>>> > by going through each and every class we can achieve this functionality >>>> > of inspecting the message getting logged and take appropriate action. >>>> > >>>> > We appreciate your support. >>>> > >>>> > Thank you, >>>> > Sai >>>> > >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org >>>> For additional commands, e-mail: log4j-dev-h...@logging.apache.org >
