Thank you Remko. I will do PoC on both the approaches and see which one can be done in less time.
On Tue, Jan 21, 2014 at 8:46 PM, Remko Popma <remko.po...@gmail.com> wrote: > You would define a marker once, and use that marker when you are logging > information that is potentially sensitive. > > So yes, this solution assumes that the application knows where sensitive > information may enter the system. > > If you don't know that or don't like this approach for other reasons, your > only alternative (that I can think of) is to identify patterns in your log > output and replace those patterns with noise (or encrypted data if you want > to get fancy :-)). Perhaps the RewriteAppender can help there. > > > Sent from my iPhone > > On 2014/01/22, at 9:08, Saibabu Vallurupalli < > saibabu.vallurupa...@gmail.com> wrote: > > Remko, > > To implement this I think I need to modify all my Java classes to define > Marker? Is my understanding correct? > > Thank you, > Sai > > > > On Tue, Jan 21, 2014 at 6:57 PM, Remko Popma <remko.po...@gmail.com>wrote: > >> You could use Markers ( >> http://logging.apache.org/log4j/2.x/manual/markers.html ) to mark log >> events that may contain sensitive information: >> >> logger.debug(MARKER_SECURITY_RISK, request.toString()); >> >> Then, in your log4j2.xml, you can use MarkerFilter ( >> http://logging.apache.org/log4j/2.x/manual/filters.html#MarkerFilter ) >> to ignore such log events or send then to a special file that the >> application has write-only access to, and which only admins can read. >> >> Would that work? >> >> >> On Wednesday, January 22, 2014, Saibabu Vallurupalli < >> saibabu.vallurupa...@gmail.com> wrote: >> >>> So, we wanted to inspect the message which is getting logged out to >>> avoid possible security issues. So, what exactly I am looking is If I >>> wanted to add a restriction on whats been logged. How can I achieve this? >>> >>> For example: log.info("user name"+username+"Password"+password); // >>> This is just an example if I see a message having password do not log it or >>> take some action. >>> >>> Please advise. >>> >>> Thank you, >>> Sai >>> >>> >>> On Tue, Jan 21, 2014 at 5:12 PM, Remko Popma <remko.po...@gmail.com>wrote: >>> >>>> Sorry, but I have no idea what you mean by "neutralize out". >>>> What is currently happening and what would you like to happen instead? >>>> >>>> Sent from my iPhone >>>> >>>> > On 2014/01/22, at 6:29, Saibabu Vallurupalli < >>>> saibabu.vallurupa...@gmail.com> wrote: >>>> > >>>> > Hi, >>>> > >>>> > I am working on an issue related to logging. I our application we are >>>> using log4j for logging and we detected our software doesn't neutralize out >>>> properly. Now, Is there any way without modifying the entire source by >>>> going through each and every class we can achieve this functionality of >>>> inspecting the message getting logged and take appropriate action. >>>> > >>>> > We appreciate your support. >>>> > >>>> > Thank you, >>>> > Sai >>>> > >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org >>>> For additional commands, e-mail: log4j-dev-h...@logging.apache.org >>>> >>>> >>> >
