You are viewing a plain text version of this content. The canonical link for it is here.

Posted to log4net-user@logging.apache.org by Ron Grabowski <ro...@yahoo.com> on 2008/10/02 22:58:51 UTC

Re: Replacing text in log messages

IObjectRender was designed to allow custom objects (i.e. non-value objects) to be formatted. log4net optmizes string messages by bypassing the IObjectRenderer code. I don't think a lot of people use IObjectRender. If you want to use an object renderer you can wrap your sensitive messages like this:

 SensitiveString sensitiveString = new SensitiveString("My password is 1234");
 log.Info(sensitiveString);

then register the renderer for the SensitiveString class. I'd probably write a ForwardingAppender or a Filter that alters the message before the real Appender receives the message.



----- Original Message ----
From: Lars Bjønnes <la...@gmail.com>
To: log4net-user@logging.apache.org
Sent: Thursday, October 2, 2008 2:44:52 PM
Subject: Replacing text in log messages 

Hello,

I am trying to replace certain text strings in log messages, based on  
a regular expression. The goal is to prevent sensitive information  
being logged.

Is there any easy way of doing this?

I have so far tried to write a simple implementation of the  
IObjectRenderer as  a small end to end test

namespace Log4netRegexpRenderer
{
     public class RegexpObjectRenderer : IObjectRenderer
     {
         /// <summary>
         /// Proceed to rendering for a given object.
         /// </summary>
         public string DoRender(RendererMap rendererMap, object obj)
         {
             return "Yeah, we're getting somehwere";
         }
     }
}

Then adding this to log4net.config:


     <renderer  
renderingClass="Log4netRegexpRenderer.RegexpObjectRenderer,  
Log4netRegexpRenderer" renderedClass="System.String, mscorlib" />

When I set the internal debug property in log4net to true, I can see  
that my assembly is pickedup and that there indeed is initialized an  
instance of my RegexpObjectRenderer.

However, it never calls DoRender in my custom object renderer. Is it  
possible to catch System.String/string by (mis)using the  
ObjectRenderer, or do I have to use custom objects? (Which works fine)

(I have no problems getting a custom renderer to work with my own  
custom classes, but no luck with System.String).

Suggestions?

Regards,

Lars

Re: Replacing text in log messages

Posted by Peter Drier <pe...@gmail.com>.

Or, if you don't want to slow down every message, make it safe before you
send to log4net..
String sensitiveString = "My password is 1234";
log.Info(l4nHelper.MakeSafe(sensitiveString));

you should know before you log it if it's risky or not..  and I'd hate to
add an extra step to logging every message (100k+) when only 3-5 messages a
day are sensitive..  stats from my latest app..

-Peter


On Thu, Oct 2, 2008 at 4:58 PM, Ron Grabowski <ro...@yahoo.com>wrote:

> IObjectRender was designed to allow custom objects (i.e. non-value objects)
> to be formatted. log4net optmizes string messages by bypassing the
> IObjectRenderer code. I don't think a lot of people use IObjectRender. If
> you want to use an object renderer you can wrap your sensitive messages like
> this:
>
>  SensitiveString sensitiveString = new SensitiveString("My password is
> 1234");
>  log.Info(sensitiveString);
>
> then register the renderer for the SensitiveString class. I'd probably
> write a ForwardingAppender or a Filter that alters the message before the
> real Appender receives the message.
>
>
>
> ----- Original Message ----
> From: Lars Bjønnes <la...@gmail.com>
> To: log4net-user@logging.apache.org
> Sent: Thursday, October 2, 2008 2:44:52 PM
> Subject: Replacing text in log messages
>
> Hello,
>
> I am trying to replace certain text strings in log messages, based on
> a regular expression. The goal is to prevent sensitive information
> being logged.
>
> Is there any easy way of doing this?
>
> I have so far tried to write a simple implementation of the
> IObjectRenderer as  a small end to end test
>
> namespace Log4netRegexpRenderer
> {
>     public class RegexpObjectRenderer : IObjectRenderer
>     {
>         /// <summary>
>         /// Proceed to rendering for a given object.
>         /// </summary>
>         public string DoRender(RendererMap rendererMap, object obj)
>         {
>             return "Yeah, we're getting somehwere";
>         }
>     }
> }
>
> Then adding this to log4net.config:
>
>
>     <renderer
> renderingClass="Log4netRegexpRenderer.RegexpObjectRenderer,
> Log4netRegexpRenderer" renderedClass="System.String, mscorlib" />
>
> When I set the internal debug property in log4net to true, I can see
> that my assembly is pickedup and that there indeed is initialized an
> instance of my RegexpObjectRenderer.
>
> However, it never calls DoRender in my custom object renderer. Is it
> possible to catch System.String/string by (mis)using the
> ObjectRenderer, or do I have to use custom objects? (Which works fine)
>
> (I have no problems getting a custom renderer to work with my own
> custom classes, but no luck with System.String).
>
> Suggestions?
>
> Regards,
>
> Lars
>