The sensitive log and trace guard relies on lists which
declare which loggers can potentially log or trace sensitive information,
and the levels at which the sensitive information would be logged.
You can extend the default list of loggers and their corresponding
levels in cases where you find sensitive information in your log or
trace that you want to block from being logged or traced in the future.
Before you begin
Read about log level settings for information about enabling
the Sensitive Log and Trace Guard.
About this task
The application server has a private default list of sensitive
loggers and their corresponding levels which it will block whenever
the sensitive log and trace guard feature is enabled. The application
server also provides a sensitive log and trace guard property file,
and a sensitive log and trace guard API that you can use to declare
new logger restrictions if you discover other loggers which log or
trace sensitive information.
Avoid trouble: If you attempt
to add loggers to the sensitive log and trace guard list that have
already been declared, the sensitive log and trace guard will use
the more restrictive logger setting of the already declared and newly
specified levels. For example, if the server is already configured
to only allow logger com.xyz.SomeLogger to log at level FINE, and
you attempt to declare that the same logger should only be allowed
to log at level FINEST, the server will ignore the update, but if
you attempt to declare that the same logger should only be allowed
to log at level INFO, then the server will reconfigure the sensitive
log and trace guard to use level INFO for that logger.
gotcha
Procedure
- You can use a properties file to declare new logger restrictions.
This file is in the cell-scoped configuration for each profile.
The name is:
<profileHome>/config/cells/<cellname>/ras.rawtracelist.properties
This
file contains documentation and syntax samples, but contains no actual
entries. If you edit this file on the deployment manager the file
is automatically synchronized with all nodes in the cell. If you
edit this file on a specific node, it will be replaced the next time
the file is synchronized with the deployment manager. Thus, it is
best to maintain the list at the deployment manager.
- You can use the com.ibm.websphere.logging.RawTraceList
API to declare new logger restrictions This API allows
you to add individual entries or an array of entries (using the PatternLevel
object in the same package). It also allows passing in an input stream
in the same format as the properties file.