Network Deployment (Distributed operating systems), v8.0 > Troubleshoot and support > Use sensitive log and trace guard
Sensitive log and trace guard
The sensitive log and trace guard is a feature that helps administrators prevent sensitive information from being exposed in log and trace files.
The sensitive log and trace guard uses an internal list of allowable levels for sensitive loggers which specifies the lowest level at which listed loggers can generate log or trace data without containing potentially sensitive data. We can also add your own loggers to the list that the sensitive log and trace guard will block.
An example is as follows: If a servlet writes URL request parameters verbatim to logger com.xyz.SomeLogger at level Level.FINE, and these request parameters could contain information such as credit card numbers or passwords, then you should add an entry to the sensitive logger list to allow only levels higher than Level.FINE to be logged - com.xyz.SomeLogger=CONFIG.
When the server initializes the log and trace system, or when you attempt to change the log detail level for a server, the list of allowable levels for sensitive loggers is compared to the stated log detail level. Any attempt to enable logging or tracing that is in conflict with entries in the list is overridden. In cases where the same loggers are specified multiple times in the list the most restrictive entry is used. For example, if the list of allowable levels for sensitive loggers contains a.b.*=INFO and a.b.*=FINE, then the a.b.* loggers are restricted to only being able to log at levels INFO and higher. The following table provides examples of how lists of allowable levels for sensitive loggers modify specified log detail level settings to determine effective log detail level settings:
Restriction list. Examples of how sensitive log and trace guard settings affect log detail level settings
Log detail level setting List of allowable levels for sensitive loggers Resulting effective log detail level setting a.b.*=SEVERE a.b.*=FINE *=INFO:a.b.*=SEVERE a.b.*=SEVERE a.b.*=SEVERE *=INFO:a.b.*=SEVERE a.b.*=FINE a.b.*=FATAL *=INFO:a.b.*=FATAL a.*=SEVERE a.b.*=FINE *=INFO:a.*=SEVERE a.*=SEVERE a.b.*=SEVERE *=INFO:a.*=SEVERE a.*=FINE a.b.*=FATAL *=INFO:a.*=FINE:a.b.*=FATAL a.b.*=SEVERE a.*=FINE *=INFO:a.b.*=SEVERE a.b.*=SEVERE a.*=SEVERE *=INFO:a.b.*=SEVERE a.b.*=FINE a.*=FATAL *=INFO:a.b.*=FATAL a.b.*=FINE *=SEVERE *=SEVERE:a.b.*=SEVERE a.b.*=FINE *=FINE *=INFO:a.b.*=FINE a.b.*=FINE *=FINEST *=INFO:a.b.*=FINE a.b.*=FINE x.y.z.*=SEVERE *=INFO:a.b.*=FINE:x.y.z.*=SEVERE a.b.*=FINE x.y.z.*=FINE *=INFO:a.b.*=FINE a.b.*=FINE x.y.z.*=FINEST *=INFO:a.b.*=FINE a.b.*=FINE *=WARNING:x.y.z.*=SEVERE *=WARNING:a.b.*=WARNING:x.y.z.*=SEVERE a.b.*=FINE *=WARNING:*=SEVERE:x.y.z.*=SEVERE *=SEVERE:a.b.*=SEVERE By using this log and trace guard, you can prevent loggers from logging at levels which might expose sensitive information.
The product is preconfigured with a known list of loggers to restrict, however you might find that further restrictions are required. .
Maintain sensitive log and trace guard lists