Return-Path: X-Original-To: apmail-logging-log4j-dev-archive@www.apache.org Delivered-To: apmail-logging-log4j-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5D10310B59 for ; Wed, 22 Jan 2014 20:11:01 +0000 (UTC) Received: (qmail 77025 invoked by uid 500); 22 Jan 2014 20:11:00 -0000 Delivered-To: apmail-logging-log4j-dev-archive@logging.apache.org Received: (qmail 76928 invoked by uid 500); 22 Jan 2014 20:11:00 -0000 Mailing-List: contact log4j-dev-help@logging.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Log4J Developers List" Reply-To: "Log4J Developers List" Delivered-To: mailing list log4j-dev@logging.apache.org Received: (qmail 76908 invoked by uid 99); 22 Jan 2014 20:11:00 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 20:11:00 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of saibabu.vallurupalli@gmail.com designates 209.85.160.49 as permitted sender) Received: from [209.85.160.49] (HELO mail-pb0-f49.google.com) (209.85.160.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 20:10:56 +0000 Received: by mail-pb0-f49.google.com with SMTP id up15so852419pbc.36 for ; Wed, 22 Jan 2014 12:10:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=TIM+O3S9/Qg/isbV4yvyjbqhI8jZv+wBlELJQe3X9w0=; b=kYrYrEaeF1FOckdnaJ4kEA+TO9qcwUuxaAiPv1lVhMSf2klykfJbBcPeU89Ok1bHBX QrkeXyqz6NBU2xR6hVRqI/WaJaOT/+dQIlXrc0JlHretIiOsWRbGW9SyXDMTGDsV5618 c2y19io5AaaDchUkaGjXWBDgcUfV0B6yeDA9+45/0w1xwAGpAvLxkDhrhkTOYyp2Gf0G hRlSNVcJs9I6dyWynCpXPBFQ9meb0S9XHgcKmr29wAMLYDYXWTdijN2eMdbXnaNTL0P8 psJe9ndKrsCXuKQTFa031Za7ny7s9ZzanonZjFTOJJ1bkXmBpkKoLTlZtFtBVdsW+tTp laSA== MIME-Version: 1.0 X-Received: by 10.68.176.65 with SMTP id cg1mr3627842pbc.145.1390421433201; Wed, 22 Jan 2014 12:10:33 -0800 (PST) Received: by 10.70.24.66 with HTTP; Wed, 22 Jan 2014 12:10:33 -0800 (PST) In-Reply-To: References: Date: Wed, 22 Jan 2014 15:10:33 -0500 Message-ID: Subject: Re: software does not neutralize output that is logged From: Saibabu Vallurupalli To: Log4J Developers List Content-Type: multipart/alternative; boundary=047d7b8740b49d3c3104f094b759 X-Virus-Checked: Checked by ClamAV on apache.org --047d7b8740b49d3c3104f094b759 Content-Type: text/plain; charset=ISO-8859-1 Hi Team, I need to attach this conversation to my JIRA ticket and I am using my GMail here. Is there any URL I can generate out of this discussion to reuse or refer to. Sorry, This is a forum administration question :-( Thank you, Sai On Wed, Jan 22, 2014 at 5:43 AM, Saibabu Vallurupalli < saibabu.vallurupalli@gmail.com> wrote: > Ralph, > Good morning. > > This is really helpful. > > Thanks so much. > > Regards, > Sai > > > On Wed, Jan 22, 2014 at 12:41 AM, Ralph Goers wrote: > >> Yes. >> https://svn.apache.org/repos/asf/logging/log4j/log4j2/trunk/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/rewrite/RewriteAppenderTest.java >> uses >> https://svn.apache.org/repos/asf/logging/log4j/log4j2/trunk/log4j-core/src/test/resources/log4j-rewrite.xml which >> uses a MapRewritePolicy. You would replace that with your own >> RewritePolicy. >> https://svn.apache.org/repos/asf/logging/log4j/log4j2/trunk/log4j-core/src/test/java/org/apache/logging/log4j/core/appender/rewrite/TestRewritePolicy.java shows >> a sample RewritePolicy. Basically you just create a new LogEvent copying >> data from the input LogEvent modifying that data as needed. >> >> Ralph >> >> On Jan 21, 2014, at 3:38 PM, Saibabu Vallurupalli < >> saibabu.vallurupalli@gmail.com> wrote: >> >> Hi Scott and Team: >> >> I tried to research on the internet on how to use this functionality but >> very limited information. Do we have a Unit test case showing this scenario >> in the source code? Or any reference implementation will be really helpful >> to refer and try in my Application. >> >> Please advise. >> >> Thank you, >> Sai >> >> >> On Tue, Jan 21, 2014 at 5:57 PM, Scott Deboy wrote: >> >>> This mechanism is also available in log4j 1.2: >>> >>> >>> https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/rewrite/RewriteAppender.html >>> >>> >>> On 1/21/14, Scott Deboy wrote: >>> > See >>> > >>> http://logging.apache.org/log4j/2.x/manual/appenders.html#RewriteAppender >>> > >>> > On 1/21/14, Saibabu Vallurupalli >>> wrote: >>> >> First of all Thanks so much for you all for the quickest response for >>> >> this >>> >> posting. I am thinking of writing a wrapper class and update the >>> source, >>> >> but we have about 2400 Java classes in the application which needs to >>> be >>> >> updated and are using log4j logger. I am trying to explore the option >>> to >>> >> avoid modifying all these classes with some kind of ingestion. Any >>> >> suggestions around will be greatly appreciated. >>> >> >>> >> Thank you, >>> >> Sai >>> >> >>> >> >>> >> >>> >> On Tue, Jan 21, 2014 at 5:20 PM, Paul Benedict >>> >> wrote: >>> >> >>> >>> This is not an unusual requirement. I've been at a company that >>> tries to >>> >>> scrub log files from certain patterns (like SSN #s). Can that be >>> done in >>> >>> log4j? I don't know. It would be interesting to know if 2.0 had some >>> >>> sort >>> >>> of filtering capability. Remko? Gary? Ralph? >>> >>> >>> >>> >>> >>> On Tue, Jan 21, 2014 at 4:16 PM, Saibabu Vallurupalli < >>> >>> saibabu.vallurupalli@gmail.com> wrote: >>> >>> >>> >>>> So, we wanted to inspect the message which is getting logged out to >>> >>>> avoid >>> >>>> possible security issues. So, what exactly I am looking is If I >>> wanted >>> >>>> to >>> >>>> add a restriction on whats been logged. How can I achieve this? >>> >>>> >>> >>>> For example: log.info("user name"+username+"Password"+password); // >>> >>>> This >>> >>>> is just an example if I see a message having password do not log it >>> or >>> >>>> take >>> >>>> some action. >>> >>>> >>> >>>> Please advise. >>> >>>> >>> >>>> Thank you, >>> >>>> Sai >>> >>>> >>> >>>> >>> >>>> On Tue, Jan 21, 2014 at 5:12 PM, Remko Popma >>> >>>> wrote: >>> >>>> >>> >>>>> Sorry, but I have no idea what you mean by "neutralize out". >>> >>>>> What is currently happening and what would you like to happen >>> instead? >>> >>>>> >>> >>>>> Sent from my iPhone >>> >>>>> >>> >>>>> > On 2014/01/22, at 6:29, Saibabu Vallurupalli < >>> >>>>> saibabu.vallurupalli@gmail.com> wrote: >>> >>>>> > >>> >>>>> > Hi, >>> >>>>> > >>> >>>>> > I am working on an issue related to logging. I our application we >>> >>>>> > are >>> >>>>> using log4j for logging and we detected our software doesn't >>> >>>>> neutralize >>> >>>>> out >>> >>>>> properly. Now, Is there any way without modifying the entire >>> source by >>> >>>>> going through each and every class we can achieve this >>> functionality >>> >>>>> of >>> >>>>> inspecting the message getting logged and take appropriate action. >>> >>>>> > >>> >>>>> > We appreciate your support. >>> >>>>> > >>> >>>>> > Thank you, >>> >>>>> > Sai >>> >>>>> > >>> >>>>> >>> >>>>> >>> --------------------------------------------------------------------- >>> >>>>> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org >>> >>>>> For additional commands, e-mail: log4j-dev-help@logging.apache.org >>> >>>>> >>> >>>>> >>> >>>> >>> >>> >>> >>> >>> >>> -- >>> >>> Cheers, >>> >>> Paul >>> >>> >>> >> >>> > >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org >>> For additional commands, e-mail: log4j-dev-help@logging.apache.org >>> >>> >> >> > --047d7b8740b49d3c3104f094b759 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi Team,

I need to attach this conv= ersation to my JIRA ticket and I am using my GMail here. Is there any URL I= can generate out of this discussion to reuse or refer to. Sorry, This is a= forum administration question :-(

Thank you,
Sai


On Wed, Jan 22, 2014 at 5:43 AM, Saibabu Vallurupal= li <saibabu.vallurupalli@gmail.com> wrote:
Ra= lph,
Good morning.

This is really helpful.

Thanks so much.

Regards,
Sai


On Wed, Jan 22, 2014 at 12:41 AM, Ralph Goers <ralph.goers@dslext= reme.com> wrote:

Ralph
=

On Jan 21, 2014, at 3:38 PM, Saibabu Vallurup= alli <saibabu.vallurupalli@gmail.com> wrote:

Hi Scott and = Team:

I tried to research on the internet on how to use this functio= nality but very limited information. Do we have a Unit test case showing th= is scenario in the source code? Or any reference implementation will be rea= lly helpful to refer and try in my Application.

Please advise.

Thank you,
Sai


On Tue, Jan 21, 2014 at= 5:57 PM, Scott Deboy <scott.deboy@gmail.com> wrote:
This mechanism is also available in log4j 1.= 2:

https://logging.apache.org/lo= g4j/1.2/apidocs/org/apache/log4j/rewrite/RewriteAppender.html


On 1/21/14, Scott Deboy <scott.deboy@gmail.com> wrote:
> See
> http://logging.apache.org/log4j/2.x/manua= l/appenders.html#RewriteAppender
>
> On 1/21/14, Saibabu Vallurupalli <saibabu.vallurupalli@gmail.com> w= rote:
>> First of all Thanks so much for you all for the quickest response = for
>> this
>> posting. I am thinking of writing a wrapper class and update the s= ource,
>> but we have about 2400 Java classes in the application which needs= to be
>> updated and are using log4j logger. I am trying to explore the opt= ion to
>> avoid modifying all these classes with some kind of ingestion. Any=
>> suggestions around will be greatly appreciated.
>>
>> Thank you,
>> Sai
>>
>>
>>
>> On Tue, Jan 21, 2014 at 5:20 PM, Paul Benedict <pbenedict@apache.org>
>> wrote:
>>
>>> This is not an unusual requirement. I've been at a company= that tries to
>>> scrub log files from certain patterns (like SSN #s). Can that = be done in
>>> log4j? I don't know. It would be interesting to know if 2.= 0 had some
>>> sort
>>> of filtering capability. Remko? Gary? Ralph?
>>>
>>>
>>> On Tue, Jan 21, 2014 at 4:16 PM, Saibabu Vallurupalli <
>>> saibabu.vallurupalli@gmail.com> wrote:
>>>
>>>> So, we wanted to inspect the message which is getting logg= ed out to
>>>> avoid
>>>> possible security issues. So, what exactly I am looking is= If I wanted
>>>> to
>>>> add a restriction on whats been logged. How can I achieve = this?
>>>>
>>>> For example: log.info("user name"+username+"Password"+password= ); //
>>>> This
>>>> is just an example if I see a message having password do n= ot log it or
>>>> take
>>>> some action.
>>>>
>>>> Please advise.
>>>>
>>>> Thank you,
>>>> Sai
>>>>
>>>>
>>>> On Tue, Jan 21, 2014 at 5:12 PM, Remko Popma
>>>> <remko.popma@gmail.com>wrote:
>>>>
>>>>> Sorry, but I have no idea what you mean by "neutr= alize out".
>>>>> What is currently happening and what would you like to= happen instead?
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>> > On 2014/01/22, at 6:29, Saibabu Vallurupalli <=
>>>>> saibabu.vallurupalli@gmail.com> wrote:
>>>>> >
>>>>> > Hi,
>>>>> >
>>>>> > I am working on an issue related to logging. I ou= r application we
>>>>> > are
>>>>> using log4j for logging and we detected our software d= oesn't
>>>>> neutralize
>>>>> out
>>>>> properly. Now, Is there any way without modifying the = entire source by
>>>>> going through each and every class we can achieve this= functionality
>>>>> of
>>>>> inspecting the message getting logged and take appropr= iate action.
>>>>> >
>>>>> > We appreciate your support.
>>>>> >
>>>>> > Thank you,
>>>>> > Sai
>>>>> >
>>>>>
>>>>> ------------------------------------------------------= ---------------
>>>>> To unsubscribe, e-mail: log4j-dev-unsubscribe@loggi= ng.apache.org
>>>>> For additional commands, e-mail: log4j-dev-help@logging.ap= ache.org
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Cheers,
>>> Paul
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org





--047d7b8740b49d3c3104f094b759--