DBAppender logs sensitive properties to the database when using property
substitution in the configuration file
---------------------------------------------------------------------------------------------------------------
Key: LBCLASSIC-205
URL: http://jira.qos.ch/browse/LBCLASSIC-205
Project: logback-classic
Issue Type: Bug
Components: appender
Affects Versions: 0.9.20
Reporter: Chris Pruett
Assignee: Logback dev list
Logback's DBAppender logs all properties in its context and MDC to the
database. I would like to control which properties are logged, specifically
filtering out certain values, but I can't find any options to do so. The
documentation is terse:
The logging_event_property is used to store the keys and values contained in
the MDC or the Context
It should be possible to exclude certain properties, especially sensitive
properties such as database connection parameters.
Here is an example:
Logback is configured with a DBAppender that loads its properties from
vct.properties:
<configuration>
<property resource="vct.properties" />
<appender name="DB" class="ch.qos.logback.classic.db.DBAppender">
<connectionSource
class="ch.qos.logback.core.db.DataSourceConnectionSource">
<dataSource class="com.mchange.v2.c3p0.ComboPooledDataSource">
<driverClass>com.mysql.jdbc.Driver</driverClass>
<jdbcUrl>jdbc:mysql://${log.db.host}:${log.db.port}/${log.db.schema}</jdbcUrl>
<user>${log.db.username}</user>
<password>${log.db.password}</password>
</dataSource>
</connectionSource>
</appender>
<root level="DEBUG">
<appender-ref ref="DB" />
</root>
</configuration>
vct.properties has the connection settings:
log.db.host=localhost
log.db.port=3306
log.db.schema=logs_development
log.db.username=loguser
log.db.password=logpass
When an event is logged, all of the connection settings are logged:
mysql> select * from logging_event_property where event_id=1;
+----------+---------------------+-------------------------------------------+
| event_id | mapped_key | mapped_value |
+----------+---------------------+-------------------------------------------+
| 1 | log.db.host | localhost |
| 1 | log.db.password | logpass |
| 1 | log.db.port | 3306 |
| 1 | log.db.schema | logs_development |
| 1 | log.db.username | loguser |
+----------+---------------------+-------------------------------------------+
Note that this is also documented on Stack Overflow, and logged as a bug per
Ceki's request:
http://stackoverflow.com/questions/2648267/can-i-prevent-logbacks-dbappender-from-logging-specific-properties/
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.qos.ch/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
logback-dev mailing list
[email protected]
http://qos.ch/mailman/listinfo/logback-dev
