You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Hui <jo...@gmail.com> on 2007/07/21 00:34:45 UTC
Tomcat access log question
I currently have Tomcat access log enable which will log all the query that
hits my web server. Some of the information is "confidential". So is there
a mechanism that I can use to add a interceptor or filter to "encrypt" those
information before it gets log into the access log?
Any suggestion or pointer would be greatly appreciated!
John
Re: Tomcat access log question
Posted by Tim Funk <fu...@joedog.org>.
Extend or copy (and change) the appropriate AccessLogValve. Then place
the (changed or new) files into the server/lib or server/classes
directory as needed. (tomcat 5 speak)
Then add to server.xml (or appropriate) the new access log class.
-Tim
John Hui wrote:
> Does this mean I need to get the source for Tomcat and change the
> org/apache/catalina/valves/AccessLogValve.java. Then build and use my own
> version of Tomcat.
>
> Or is there a way that I somehow create my own
> org/apache/catalina/valves/AccessLogValve.java or class and put it in a
> directory in my Tomcat environment and modify the server.xml to point to my
> customer AccessLogValve.
>
> I'm very new to tomcat so any help or link to how to do this would help a
> lot!
>
> Thanks for taking the time to respond to my question!
>
> John
>
> On 7/21/07, Caldarale, Charles R <Ch...@unisys.com> wrote:
>>
>> > From: John Hui [mailto:john.m.hui@gmail.com]
>> > Subject: Re: Tomcat access log question
>> >
>> > I am actually not permitted to store any of these
>> > confidential information any where including ( the
>> > access logs ).
>>
>> Due to the rather specialized nature of your requirements, your best bet
>> may well be to use your own access logger, extending the Tomcat-supplied
>> one. That way you can strip out or mask the confidential information
>> without worrying about who has read access to the logs. Just override
>> the invoke() method of whichever access log valve you're using:
>> org/apache/catalina/valves/AccessLogValve.java
>> org/apache/catalina/valves/ExtendedAccessLogValve.java
>> org/apache/catalina/valves/FastCommonAccessLogValve.java
>>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat access log question
Posted by John Hui <jo...@gmail.com>.
Does this mean I need to get the source for Tomcat and change the
org/apache/catalina/valves/AccessLogValve.java. Then build and use my own
version of Tomcat.
Or is there a way that I somehow create my own
org/apache/catalina/valves/AccessLogValve.java or class and put it in a
directory in my Tomcat environment and modify the server.xml to point to my
customer AccessLogValve.
I'm very new to tomcat so any help or link to how to do this would help a
lot!
Thanks for taking the time to respond to my question!
John
On 7/21/07, Caldarale, Charles R <Ch...@unisys.com> wrote:
>
> > From: John Hui [mailto:john.m.hui@gmail.com]
> > Subject: Re: Tomcat access log question
> >
> > I am actually not permitted to store any of these
> > confidential information any where including ( the
> > access logs ).
>
> Due to the rather specialized nature of your requirements, your best bet
> may well be to use your own access logger, extending the Tomcat-supplied
> one. That way you can strip out or mask the confidential information
> without worrying about who has read access to the logs. Just override
> the invoke() method of whichever access log valve you're using:
> org/apache/catalina/valves/AccessLogValve.java
> org/apache/catalina/valves/ExtendedAccessLogValve.java
> org/apache/catalina/valves/FastCommonAccessLogValve.java
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Tomcat access log question
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: John Hui [mailto:john.m.hui@gmail.com]
> Subject: Re: Tomcat access log question
>
> I am actually not permitted to store any of these
> confidential information any where including ( the
> access logs ).
Due to the rather specialized nature of your requirements, your best bet
may well be to use your own access logger, extending the Tomcat-supplied
one. That way you can strip out or mask the confidential information
without worrying about who has read access to the logs. Just override
the invoke() method of whichever access log valve you're using:
org/apache/catalina/valves/AccessLogValve.java
org/apache/catalina/valves/ExtendedAccessLogValve.java
org/apache/catalina/valves/FastCommonAccessLogValve.java
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat access log question
Posted by John Hui <jo...@gmail.com>.
Thanks for the response Jacob.
I think I should be more clear about my use case.
I am actually not permitted to store any of these confidential information
any where including ( the access logs ). That's why I want to encrypt these
information. I can remove the entire query string from being logged at all
but these data can be very useful to us so we do want to log them ( without
exposing the confidential value in the request ).
Thanks!
John
On 7/20/07, Jacob Rhoden <ja...@uptecs.com> wrote:
>
> John Hui wrote:
> > I currently have Tomcat access log enable which will log all the query
> > that
> > hits my web server. Some of the information is "confidential". So is
> > there
> > a mechanism that I can use to add a interceptor or filter to "encrypt"
> > those
> > information before it gets log into the access log?
> >
> > Any suggestion or pointer would be greatly appreciated!
> >
> > John
> >
> It would be better to alter the application (if you can) to not include
> private information inside url's.
>
> But either way, just make the logs read writeable only by tomcat. That
> way the user has to have access to tomcat before they can read the logs.
> And if the user has access to tomcat, then they will be able to read
> your logs no matter wether your logs are encrypted or not. (ie if the
> user has access to tomcat they can simply monitor all incoming traffic
> via other means, and get much more confidential information than just
> urls and ip addresses)
>
> Best Regards,
> Jacob
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat access log question
Posted by Jacob Rhoden <ja...@uptecs.com>.
John Hui wrote:
> I currently have Tomcat access log enable which will log all the query
> that
> hits my web server. Some of the information is "confidential". So is
> there
> a mechanism that I can use to add a interceptor or filter to "encrypt"
> those
> information before it gets log into the access log?
>
> Any suggestion or pointer would be greatly appreciated!
>
> John
>
It would be better to alter the application (if you can) to not include
private information inside url's.
But either way, just make the logs read writeable only by tomcat. That
way the user has to have access to tomcat before they can read the logs.
And if the user has access to tomcat, then they will be able to read
your logs no matter wether your logs are encrypted or not. (ie if the
user has access to tomcat they can simply monitor all incoming traffic
via other means, and get much more confidential information than just
urls and ip addresses)
Best Regards,
Jacob
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org