NAME

Log::Log4perl::Layout::PatternLayout::Redact - Add stack traces without sensitive information in Log::Log4perl logs.

DESCRIPTION

Log::Log4perl offers the ability to add stack traces to layouts using %T in pattern layouts (see Log::Log4perl::Layout::PatternLayout).

However, stack traces contain a list of arguments, and those arguments can be sensitive data like passwords or credit card data. This module redacts the sensitive information, replacing them with '[redacted]' so that the stack traces can be PCI-compliant.

VERSION

Version 1.2.0

SYNOPSIS

use Log::Log4perl::Layout::PatternLayout::Redact;

Redacting stack traces

Here's an example of log4perl configuration that outputs a redacted trace (use %E instead of %T) :

log4perl.logger = WARN, logfile
log4perl.appender.logfile                          = Log::Log4perl::Appender::File
log4perl.appender.logfile.filename                 = $file_name
log4perl.appender.logfile.layout                   = Log::Log4perl::Layout::PatternLayout::Redact
log4perl.appender.logfile.layout.ConversionPattern = %d %p: (%X{host}) %P %F:%L %M - %m{chomp}%E
log4perl.appender.logfile.recreate                 = 1
log4perl.appender.logfile.mode                     = append

To set your own list of arguments to redact, rather than use the defaults in Carp::Parse::Redact, you need to set a localized version of $SENSITIVE_ARGUMENT_NAMES:

local $Log::Log4perl::Layout::PatternLayout::Redact::SENSITIVE_ARGUMENT_NAMES = 
[
	'password',
	'luggage_combination',
	'favorite_pony',
];

And hash keys in the stack trace that match these names will have their values replaced with '[redacted]'.

To set your own list of regexes to use for redaction, rather than use the defaults in Carp::Parse::Redact, you need to set a localized version of $SENSITIVE_REGEXP_PATTERNS:

local $Log::Log4perl::Layout::PatternLayout::Redact::SENSITIVE_REGEXP_PATTERNS =
[
	qr/^\d{16}$/,
]

And any argument in the stack trace that matches one of the regexes provided will be replaced with '[redacted]'.

Be sure to do the localizations of the package variables after you have initialized your logger.

Redacting messages

Here's an example of log4perl configuration that outputs a redacted message (use %e instead of %m) :

log4perl.logger = WARN, logfile
log4perl.appender.logfile                          = Log::Log4perl::Appender::File
log4perl.appender.logfile.filename                 = $file_name
log4perl.appender.logfile.layout                   = Log::Log4perl::Layout::PatternLayout::Redact
log4perl.appender.logfile.layout.ConversionPattern = %d %p: (%X{host}) %P %F:%L %M - %e
log4perl.appender.logfile.recreate                 = 1
log4perl.appender.logfile.mode                     = append

To redact the message, you will need to write your own redaction subroutine as follows:

local $Log::Log4perl::Layout::PatternLayout::Redact::MESSAGE_REDACTION_CALLBACK = sub
{
	my ( $message ) = @_;
	
	# Do replacements on the messages to redact sensitive information.
	$message =~ s/(password=")[^"]+(")/$1\[redacted\]$2/g;
	
	return $message;
};

Be sure to do the localizations of the package variable after you have initialized your logger.

AUTHOR

Kate Kirby, <kate at cpan.org>.

Guillaume Aubert, <aubertg at cpan.org>.

BUGS

Please report any bugs or feature requests to bug-log-log4perl-layout-patternlayout-redact at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Log-Log4perl-Layout-PatternLayout-Redact. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

perldoc Log::Log4perl::Layout::PatternLayout::Redact

You can also look for information at:

ACKNOWLEDGEMENTS

Thanks to ThinkGeek (http://www.thinkgeek.com/) and its corporate overlords at Geeknet (http://www.geek.net/), for footing the bill while we eat pizza and write code for them!

COPYRIGHT & LICENSE

Copyright 2012 Kate Kirby & Guillaume Aubert.

This program is free software; you can redistribute it and/or modify it under the terms of the Artistic License.

See http://dev.perl.org/licenses/ for more information.