Remove Session IDs from Log Files

Document ID : KB000017439
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

As a security measure, you can configure CA Clarity PPM to prevent session ID values from appearing in your log files. To prevent these values from appearing, edit the logger.xml file. Replace the log pattern (%u:%s:%a) with the pattern (%U:%a).

Solution:

The following examples show the results of using both log patterns in the logger.xml file.

Example: (%u:%s:%a)
This line of code shows how the pattern to display the session ID value appears in the logger.xml file.

<param name="ConversionPattern" value="%-5p %d{ISO8601} [%t] %c{2} (%u:%s:%a) %m\r\n"/>

This pattern produces records in a log file with the session ID value. The following record from the app-ca.log that shows the session ID value (bolded):

DEBUG 2014-08-18 19:52:02,949 [http-bio-80-exec-3] odf.view (clarity:admin:5077018__8DF3B2A0-F398-4A4B-BC35-E9A012065CE0:npt.overview) Adding view FILTER_VIEW_LOADER::USER:NIKU.ROOT to transient cache

Example: (%U:%a)
This line of code shows how the pattern to prevent the session ID value appears in the logger.xml file.

<param name="ConversionPattern" value="%-5p %d{ISO8601} [%t] %c{2} (%U:%a) %m\r\n"/>

This pattern produces a record in a log file without the session ID value. The following example is a record from the app-ca-service.log that shows no session ID value.

DEBUG 2014-08-18 19:52:02,494 [http-bio-80-exec-3] in.service (admin:npt.overview)

CA Clarity PPM supports additional logging patterns if the layout is set to NikuLayout in the logger.xml for an appender.

Pattern OptionPurpose
uCreates the user ID with the tenant ID in the log.
Example: (%u) creates the output (clarity:admin) in the log.
UCreates the user ID in the log.
Example: (%U) creates the output (admin) in the log.
sCreates the session ID in the log.
Example: (%s) creates the output (5077018__8DF3B2A0-F398-4A4B-BC35-E9A012065CE0) in the log.
aCreates the action ID in the log.
Example: (%a) creates the output (npt.overview) in the log.

Note: For more information about log4j version 1.2 supported patterns, see the API documentation for Class PatternLayout at https://logging.apache.org.