[logback-dev] [JIRA] Commented: (LBCLASSIC-205) DBAppender logs sensitive properties to the database when using property substitution in the configuration file
Ralph Goers (JIRA)
noreply-jira at qos.ch
Tue Apr 27 07:39:16 CEST 2010
[ http://jira.qos.ch/browse/LBCLASSIC-205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=11735#action_11735 ]
Ralph Goers commented on LBCLASSIC-205:
---------------------------------------
I'd actually like to find a more general purpose way to do this as I ran into this issue with adding the MDC data to structured data. Perhaps a way to identify mdc include keys or exclude keys in the LoggerContext?
> DBAppender logs sensitive properties to the database when using property substitution in the configuration file
> ---------------------------------------------------------------------------------------------------------------
>
> Key: LBCLASSIC-205
> URL: http://jira.qos.ch/browse/LBCLASSIC-205
> Project: logback-classic
> Issue Type: Bug
> Components: appender
> Affects Versions: 0.9.20
> Reporter: Chris Pruett
> Assignee: Logback dev list
>
> Logback's DBAppender logs all properties in its context and MDC to the database. I would like to control which properties are logged, specifically filtering out certain values, but I can't find any options to do so. The documentation is terse:
> The logging_event_property is used to store the keys and values contained in the MDC or the Context
> It should be possible to exclude certain properties, especially sensitive properties such as database connection parameters.
> Here is an example:
> Logback is configured with a DBAppender that loads its properties from vct.properties:
> <configuration>
> <property resource="vct.properties" />
> <appender name="DB" class="ch.qos.logback.classic.db.DBAppender">
> <connectionSource class="ch.qos.logback.core.db.DataSourceConnectionSource">
> <dataSource class="com.mchange.v2.c3p0.ComboPooledDataSource">
> <driverClass>com.mysql.jdbc.Driver</driverClass>
> <jdbcUrl>jdbc:mysql://${log.db.host}:${log.db.port}/${log.db.schema}</jdbcUrl>
> <user>${log.db.username}</user>
> <password>${log.db.password}</password>
> </dataSource>
> </connectionSource>
> </appender>
> <root level="DEBUG">
> <appender-ref ref="DB" />
> </root>
> </configuration>
> vct.properties has the connection settings:
> log.db.host=localhost
> log.db.port=3306
> log.db.schema=logs_development
> log.db.username=loguser
> log.db.password=logpass
> When an event is logged, all of the connection settings are logged:
> mysql> select * from logging_event_property where event_id=1;
> +----------+---------------------+-------------------------------------------+
> | event_id | mapped_key | mapped_value |
> +----------+---------------------+-------------------------------------------+
> | 1 | log.db.host | localhost |
> | 1 | log.db.password | logpass |
> | 1 | log.db.port | 3306 |
> | 1 | log.db.schema | logs_development |
> | 1 | log.db.username | loguser |
> +----------+---------------------+-------------------------------------------+
> Note that this is also documented on Stack Overflow, and logged as a bug per Ceki's request: http://stackoverflow.com/questions/2648267/can-i-prevent-logbacks-dbappender-from-logging-specific-properties/
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the logback-dev
mailing list