How to toggle hide and unhide sensitive information in kubernetes and kibana logs that comes from spring boot app?

by

I have a spring boot app that logs sensitive information in the kubernetes and kibana.
How do I create a flag to toggle hide/unhide sensitive information ?
This sensistive information can be used only for debugging purposes.

I am looking for something like :

  • isMaskEnabled = false :
    set this flag only for debugging purposes so that developers can use it for debugging.
  • isMaskEnabled = true :
    set this flag for masking sensitive information to all users who views the logs.

I tried setting the appender slf4j – to have mask pattern but that will log the information as masked fields in log file. I can’t see original data for debugging purposes.

<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
    <layout class="com.bpcbt.micro.utils.PatternMaskingLayout">
        <maskPattern>creditCard=\d+</maskPattern> <!-- SourcePan pattern -->
        <pattern>%d{dd/MM/yyyy HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n%ex</pattern>-->
    </layout>
</encoder>

If I want to unmask and show original info it is not possible here.
Any other way ?

  • 1

    Step 1 is to never log sensitive info to the logs.

    – 

  • 1

    Step 1: remove all code that logs actual credit cards numbers in a context where they might learn more about who those belong to? Change your log statements to only log, say, the last 4 digits, but ideally, don’t log credit card numbers.

    – 

  • @Mike’Pomax’Kamermans Now If I want to debug, I go through those logs it will have only 4 digits, I need to find the way to get original data for debugging purposes. I wanted to check the sensistive information as developer and hide it for common people who query through kibana.

    – 




  • 1

    If you can find actual credit card numbers tied to actual people, there’s every chance you’re already breaking local laws around handling PII. Find a different way to identify transactions that doesn’t require PII such as randomly generated transaction numbers, and look for those in your logs.

    – 




  • Why not control logs in Spring boot/java module? Eg. You can have a public function that logs all info you need. Then use isMaskEnabled to enable or disable logging. Probably enable during development and disable logging when deploying to production

    – 

Leave a Comment