WAS v8.5 > Troubleshoot > Use sensitive log and trace guard

Sensitive log and trace guard

The sensitive log and trace guard feature uses an internal list of allowable levels to prevent sensitive information from being exposed in log and trace files by loggers.

For example, if a servlet writes URL request parameters verbatim to logger...

...and these request parameters could contain information such as credit card numbers or passwords, add an entry to the sensitive logger list to allow only levels higher than Level.FINE to be logged...

When the server initializes the log and trace system, or when we attempt to change the log detail level for a server, the list of allowable levels for sensitive loggers is compared to the stated log detail level. Any attempt to enable logging or tracing that is in conflict with entries in the list is overridden. In cases where the same loggers are specified multiple times in the list the most restrictive entry is used. For example, if the list of allowable levels for sensitive loggers contains a.b.*=INFO and a.b.*=FINE, then the a.b.* loggers are restricted to only being able to log at levels INFO and higher.

Allowable levels for sensitive loggers...

Log detail level setting Allowable levels Effective log detail level setting
a.b.*=SEVERE a.b.*=FINE *=INFO:a.b.*=SEVERE
a.b.*=SEVERE a.b.*=SEVERE *=INFO:a.b.*=SEVERE
a.b.*=FINE a.b.*=FATAL *=INFO:a.b.*=FATAL
a.*=SEVERE a.b.*=FINE *=INFO:a.*=SEVERE
a.*=SEVERE a.b.*=SEVERE *=INFO:a.*=SEVERE
a.*=FINE a.b.*=FATAL *=INFO:a.*=FINE:a.b.*=FATAL
a.b.*=SEVERE a.*=FINE *=INFO:a.b.*=SEVERE
a.b.*=SEVERE a.*=SEVERE *=INFO:a.b.*=SEVERE
a.b.*=FINE a.*=FATAL *=INFO:a.b.*=FATAL
a.b.*=FINE *=SEVERE *=SEVERE:a.b.*=SEVERE
a.b.*=FINE *=FINE *=INFO:a.b.*=FINE
a.b.*=FINE *=FINEST *=INFO:a.b.*=FINE
a.b.*=FINE x.y.z.*=SEVERE *=INFO:a.b.*=FINE:x.y.z.*=SEVERE
a.b.*=FINE x.y.z.*=FINE *=INFO:a.b.*=FINE
a.b.*=FINE x.y.z.*=FINEST *=INFO:a.b.*=FINE
a.b.*=FINE *=WARNING:x.y.z.*=SEVERE *=WARNING:a.b.*=WARNING:x.y.z.*=SEVERE
a.b.*=FINE *=WARNING:*=SEVERE:x.y.z.*=SEVERE *=SEVERE:a.b.*=SEVERE

By using this log and trace guard, we can prevent loggers from logging at levels which might expose sensitive information.

WAS v8.5 is preconfigured with a known list of loggers to restrict, however you might find that further restrictions are required. .


Related


Maintain sensitive log and trace guard lists


+

Search Tips   |   Advanced Search