Masking sensitive information during logging using log4j

You can configure the log4j utility to filter log messages. This helps to prevent sensitive information, such as CVV codes, from being logged in the verbose log messages.

About this task

For example, the value of Secure Authentication Code is masked by default. The following logFilter properties are added out-of-the-box to mask it:

filterset.paymentFilter.pattern.1=(SecureAuthenticationCode=)(["'][^"']+["'])
filterset.paymentFilter.pattern.2=(&secureAuthenticationCode=)([^&]+[&])
filterset.paymentFilter.pattern.3=(&secureAuthenticationCode=)([^&]+)$	
filterset.paymentFilter.replace.1=$1"***"
filterset.paymentFilter.replace.2=$1***
filterset.paymentFilter.replace.3=$1***

Sterling Selling and Fulfillment Foundation provides a default implementation for log4j Layout and Filter. The layout implementation is com.sterlingcommerce.woodstock.util.frame.logex.SCIFilteredPatternLayout.class and the filter implementation is com.sterlingcommerce.woodstock.util.frame.logex.SCIPatternFilter.class.

The Layout implementation first delegates the log message to a normal PatternLayout (org.apache.log4j.PatternLayout.class) to get a formatted message. When the formatted message is received, it filters the results based on a set of configurable regular expressions, before finally returns a fixed string. A replace string can be provided for every regular expression pattern and in case it is not provided then the matched text is replaced by the default replacement string.

The Filter implementation enables you to match a message against a set of regular expressions and mask if it matches. Sterling Selling and Fulfillment Foundation provides an out-of-the-box log4j configuration XML with various appender specifications.

To mask sensitive information while logging perform the following:

Procedure

Create a custom log4jconfig xml file. Copy the <INSTALL_DIR>/resources/log4jconfig.xml file as <INSTALL_DIR>/resources/log4jconfig.custom.xml.

Identify the right appender(s) for the concerned logging file(s) and change the layout class name to SCIFilteredPatternLayout and name a filter as follows:

<layout class="com.sterlingcommerce.woodstock.util.frame.logex.SCIFilteredPatternLayout">
	<param name="ConversionPattern" value="%d:%-7p:%t: %-60m[%X{AppUserId}]: %-25c{1}%n"/>
	<param name="FilterSet" value="<layout_filterSet_name>"/>
</layout>

Change the filter class name to SCIPatternFilter and name a filter as follows:

<filter class=”com.sterlingcommerce.woodstock.util.frame.logex.SCIPatternFilter” >
	<param name="FilterSet" value="<filter_filterSet_name>" />
</filter>

Define the filters by overriding the properties provided in the logfilter.properties file in the<INSTALL_DIR>/properties/customer_ overrides.properties file.
Sterling Selling and Fulfillment Foundation provides logfilter.properties property file to define the filters as a set of named regular expressions. Each property is of the following form:
```
filterset.<layout_filterSet_name>.pattern.<num>=<pattern string>
filterset.<layout_filterSet_name>.replace.<num>=<replace string>
filterset.<filter_filterSet_name>.pattern.<num>=<pattern string>
```
The pattern property is a Java-style regular expression, and defines the regular expression against which you want to match the message string. The replace property is optional, and defines what to replace the matched expression with. If the replace property is not defined, the default replacement string, **FILTERED* is used. This property has no effect during a Filter operation.

Note: The filtering applies only to the messages logged using the log framework that is provided, which includes both YFCLogCategory and LogService. Messages logged through other methods, such as direct System.out or other log framework, are not affected.
Sterling Selling and Fulfillment Foundation also provides following two additional properties which enables to default FilterSet names so that it is applicable to all the appenders referring to the out of the box Layout and Filter implementations.
```
default.layout.filterset=<defaut layout filterSet name>
default.filter.filterset=<default filter filterSet name>
```