Hi Jérémie- That should be filed as an issue— please open a ticket and we can detect command line options that are marked as ‘masked’ and log them using ‘****’ instead of clear text.
Open ticket here: https://github.com/apache/karaf/issues Thanks, Matt Pavlovich > On Oct 1, 2025, at 11:13 AM, Jérémie <[email protected]> wrote: > > Hello, > > In the same type, there is also a "vulnerability" tagged by our sec team > internally: if you execute a command with a password as a parameter, this > password will be present in the logs, even if the parameter is declared as > "masked". Because it is set unfiltered as the thread name of the command. > > Regards, > Jérémie > > mie., 1 oct. 2025, 16:10 Ephemeris Lappis <[email protected] > <mailto:[email protected]>> a scris: >> Hello.! >> >> The current default appender is right for all our logs, except for shell >> commands that are used by our dev-ops tools and generate very long (and very >> useless) thread names". >> How can we filter these commands that have no package, thus no explicit >> appender ? >> >> Another very strange shell behavior : >> >> executing the command : >> x="json = {\"a\":1, \"b\":2}" >> . >> produces a repeated "json = " pattern, it seems that the "{...,..." is >> interpreted as a repeated action pattern. I've found no explanation in the >> shell manual. >> >> json = "a":1 json = "b":2 >> >> Is there a way to disable this command expansion : our dev-ops jobs fail >> because of that :( >> >> Thanks. >> >> Regards. >> >> >> Le mer. 1 oct. 2025 à 15:44, Matt Pavlovich <[email protected] >> <mailto:[email protected]>> a écrit : >>> Your logging configuration must be using a pattern that includes the thread >>> name in the log output. You can remove that macro, or configure a separate >>> log appender for the packages you want to filter and give that a different >>> logging pattern without the thread macro. >>> >>> -Matt >>> >>> > On Oct 1, 2025, at 5:35 AM, Ephemeris Lappis <[email protected] >>> > <mailto:[email protected]>> wrote: >>> > >>> > Hello. >>> > >>> > We need to use the Karaf's shell "log" command to trace actions during >>> > some deployment opérations.. >>> > >>> > We've seen that the thread name using the "log:log" command is the >>> > command itself, producing very big lines in the log file. >>> > >>> > Example : >>> > admin@root()> log:log --level WARNING "A very very long text..." >>> > 12:29:39.362 WARN [pipe-log:log --level WARNING "A very very long >>> > text..."] A very very long text... >>> > >>> > The thread name is "pipe-log:log --level WARNING "A very very long >>> > text..."" >>> > >>> > In reality, messages may be actually bigger, since we want to trace very >>> > detailed information about the current deployments. >>> > >>> > Is there any way to avoid this ? >>> > >>> > Thanks in advance for your help. >>> > >>> > Regards. >>>
