目前,我们一般都会记录进出系统的所有 XML 文档,其中一些文档包含明文密码。我们希望能够配置执行此操作的 logback 记录器/附加程序来进行一些模式匹配或类似操作,并且如果它检测到存在密码则将其替换(最有可能使用星号)。请注意,我们不想过滤掉日志条目,我们想屏蔽它的一部分。我希望得到有关如何使用 logback 完成此操作的建议。谢谢。
We currently generically log all XML documents coming in and going out of our system, and some of them contain passwords in the clear. We would like to be able to configure the logback logger/appender that is doing this to do some pattern matching or similar and if it detects a password is present to replace it (with asterisks most likely). Note we don't want to filter out the log entry, we want to mask a portion of it. I would appreciate advice on how this would be done with logback. Thanks.
发布评论
评论(2)
logback 版本 0.9.27 引入了替换功能。替换支持正则表达式。例如,如果记录的消息是“userid=alice, pswd='my Secret'”,并且输出模式是,
您只需修改模式即可
注意,上面使用了 选项引用。
之前的日志消息将输出为“userid=alice, pswd='xxx'”
为了获得出色的性能,您还可以将日志语句标记为 CONFIDENTIAL,并指示 %replace 仅对标记为 CONFIDENTIAL 的日志语句执行替换。例如,
不幸的是,当前版本的 logback 尚不支持条件替换(基于标记或其他)。但是,您可以通过扩展 ReplacingCompositeConverter 轻松编写自己的替换代码。如果您需要进一步的帮助,请在 logback-user 邮件列表上留言。
The logback version 0.9.27 introduced replacement capability. Replacements support regular expressions. For example, if the logged message was "userid=alice, pswd='my secret'", and the output pattern was
you just modify the pattern to
Note that the above makes use of option quoting.
The previous log message would be output as "userid=alice, pswd='xxx'"
For blazing performance, you could also mark the log statement as CONFIDENTIAL and instruct %replace to perform replacement only for log statements marked as CONFIDENTIAL. Example,
Unfortunately, the current version of logback does not yet support conditional replacements (based on markers or otherwise). However, you could easily write your own replacement code by extending ReplacingCompositeConverter. Shout on the logback-user mailing list if you need further assistance.
我相信屏蔽是您业务的一个方面,而不是任何技术或日志系统的方面。在某些情况下,由于法律原因,在将密码、国家身份等存储在数据库中时也应该对其进行屏蔽。您应该能够在将 xml 提供给记录器之前对其进行屏蔽。
一种方法是通过 XSLT 运行 XML,然后将其提供给记录器进行记录。
如果您不想这样做,那么 LogBack 有过滤器支持,这是其中之一选项(虽然不是正确的选项)。
但是要明白,您试图在日志基础设施级别找到的任何通用的开箱即用解决方案都将不是最佳的,因为每个日志消息都将被检查是否被屏蔽。
I believe Masking is an aspect of your business, not the aspect of any technology or logging system. There are situations where the passwords, national identities etc should be masked while storing them in the DB as well due to legal reasons. You should be able to mask the xml before giving it to the logger.
One way to do it is to run the XML through XSLT that does that making and then give it to logger for logging.
If you doesn't want to do this then LogBack has Filters support that is one of the option (not the right one though).
But understand that any generic out of the box solution you are trying to find at the logging infrastructure level is going to be suboptimal as every log message is going to be checked for masking.