Masking sensitive information during logging using log4j

About this task

You can configure the log4j utility to prevent sensitive information such as credit card number, passwords, and so forth from being logged in the log messages. To mask the sensitive information, you must use the application-provided custom log4j Layout and Filter and also define a set of named regular expressions in the customer_override.properties file.

The custom log4j layout will get the formatted message and filter the results based on a set of configurable regular expressions. This custom log4j filter will allow you to match the message against a set of regular expressions and discard the message, if it matches.

To mask sensitive information during logging:

Procedure

  1. Change the layout class name in the custom logging configuration to SCIFilteredPatternLayout. For example:
    <layout
    class="com.sterlingcommerce.woodstock.util.frame.logex.SCIFilteredPatternLay
    out">
        <param name="ConversionPattern" value="%d:%-7p:%t: %-60m
    [%X{AppUserId}]: %-25c{1}%n"/>
        <param name="FilterSet" value="common-filter"/> <!-- Optional -->
    </layout>
  2. Change the filter class name in the custom logging configuration to SCIPatternFilter. For example:
    <filter
    class="com.sterlingcommerce.woodstock.util.frame.logex.SCIPatternFilter">
         <param name="FilterSet" value="suppress" /> <!-- Optional -->
    </filter>
  3. Define a set of named regular expressions against which you want to match the message in the <INSTALL_DIR>/properties/customer_ overrides.properties file using following properties:
    filterset.<name>.pattern.<num>=<pattern>

    This property is optional:

    filterset.<name>.replace.<num>=<replace>

    where <pattern> is a Java-style regular expression and defines the regular expression against which you want to match the message string. The replace property is optional, and defines the string which will be used to replace the expression.

    You can set the default FilterSet parameters by setting the following properties:

    default.filter.filterset=<filter_name>
    default.layout.filterset=<layout_name>

    You can also define a common set of regular expression patterns across multiple filter sets as following:

    filterset.name.includes=<name1>,<name2>,...

    You can view the <INSTALL_DIR>/properties/logfilter.properties.in file to see some sample entries for defining these properties.