Network Deployment (Distributed operating systems), v8.0 > Troubleshoot and support > Use sensitive log and trace guard
Maintain sensitive log and trace guard lists
The sensitive log and trace guard relies on lists which declare which loggers can potentially log or trace sensitive information, and the levels at which the sensitive information would be logged. We can extend the default list of loggers and their corresponding levels in cases where you find sensitive information in your log or trace to block from being logged or traced in the future. Read about log level settings for information about enabling the Sensitive Log and Trace Guard.
The application server has a private default list of sensitive loggers and their corresponding levels which it will block whenever the sensitive log and trace guard feature is enabled. The application server also provides a sensitive log and trace guard property file, and a sensitive log and trace guard API that you can use to declare new logger restrictions if you discover other loggers which log or trace sensitive information. If you attempt to add loggers to the sensitive log and trace guard list that have already been declared, the sensitive log and trace guard will use the more restrictive logger setting of the already declared and newly specified levels. For example, if the server is already configured to only allow logger com.xyz.SomeLogger to log at level FINE, and you attempt to declare that the same logger should only be allowed to log at level FINEST, the server will ignore the update, but if you attempt to declare that the same logger should only be allowed to log at level INFO, then the server will reconfigure the sensitive log and trace guard to use level INFO for that logger.
Procedure
- We can use a properties file to declare new logger restrictions. This file is in the cell-scoped configuration for each profile. The name is:
<profileHome>/config/cells/ <cellname>/ras.rawtracelist.properties
This file contains documentation and syntax samples, but contains no actual entries. If you edit this file on the dmgr the file is automatically synchronized with all nodes in the cell. If you edit this file on a specific node, it will be replaced the next time the file is synchronized with the dmgr. Thus, it is best to maintain the list at the dmgr.
- We can use the com.ibm.websphere.logging.RawTraceList API to declare new logger restrictions This API allows you to add individual entries or an array of entries (using the PatternLevel object in the same package). It also allows passing in an input stream in the same format as the properties file.
Related
Sensitive log and trace guard
Related
Log level settings
Program Interfaces (APIs)