Hiding the display of secure data in log files
BMC Atrium Orchestrator masks several commonly identified data items in log files, such as passwords. Instead of the actual data being displayed, the log files includes a masked string, such as the following: ****MASKED****.
BMC Atrium Orchestrator masks the following keywords in log files:
- identity-password
passphrase
pass-phrase
password
secret-key
You can mask other data items in logs by editing the log_config.xml files. In these files you can specify the following:
- The replacement strings that you want to use when masking data in log files.
- Patterns to search for and replace in log files.
You can also mask a password used in command lines so that they do not appear in the log file in the request and response lines in log files. You can mask passwords with the /p and /pwd flags.
Note
Password masking is supported with use of 20.15.01 content and later. If you are using earlier content releases, some passwords may not be masked.
The instructions in this page describe using regular expressions (regex). For more information about regex, refer to the following documentation:
The following BMC Communities video (5:53) demonstrates how to mask secure information in BMC Atrium Orchestrator logs.
Each peer in your BMC Atrium Orchestrator environment has a log_config.xml file. You can edit this file for each peer (for example, the CDP, HA-CDP, APs, LAPs, OCP, Development Studio) on which you want to hide data in log files. The log_config.xml file looks like the following example before you modify it:
<log-config>
<replacement-string></replacement-string>
<patterns>
<mask-pattern></mask-pattern>
</patterns>
</log-config>
In these instructions, AO_HOME represents the directory in which you installed BMC Atrium Orchestrator components on a server (such as the CDP, HA-CDP, APs, LAPs, OCP, Development Studio).
To edit a log_config.xml file to mask data in logs
Navigate to the AO_HOME/config directory and edit the log_config.xml file.
Locate the <log-config> section and provide the following information: the replacement string used to replace secure data and the data patterns (mask-pattern) to search for and replace, using the following example for guidance:
- Example 1: Masking a string
- For
replacement-string
, provide any valid replacement string regex to represent the string used to replace the secure data. For example,
$1$2****MASKED****$3 For mask-pattern, provide any valid regex to represent the data pattern you want to replace. For example:
(<.*?certificate.*?)(>)[^<]+(</.*?>)
After updating the file, it will look like the following example:
<log-config> <replacement-string>$1$2****MASKED****$3</replacement-string> <patterns> <mask-pattern>(<.*?certificate.*?)(>)[^<]+(</.*?>)</mask-pattern> </patterns> </log-config>
This example causes all parameters with the name "certificate" to be masked in the logs (for example, <
certificate>dir</certificate>
will appear as<certificate>****MASKED****</certificate>
in the log files.
- For
- Example 2: Masking a password in a command line
- For
replacement-string
, provide any valid replacement string regex to represent the string used to replace the secure data (the password in this case). For example,<replacement-string>$1****MASKED****</replacement-string
> For mask-pattern, provide any valid regex to represent the data pattern you want to replace (the password). For example:
(/p )(.*?)( )
After updating the file, it will look like the following example:<log-config> <replacement-string>$1****MASKED****</replacement-string> <patterns> <mask-pattern>(/p )(.*?)( )</mask-pattern> </patterns> </log-config>
This example causes all passwords with the /p flag to be masked in the logs. For example, the password
Asimil8
in the following line:systeminfo /s sjc-oc-01.eng.remedy.com /u sjc-oc-01\Administrator /p Asimil8 /fo CSV
will appear as****MASKED****
in the log file, as shown in the following line:systeminfo /s sjc-oc-01.eng.remedy.com /u sjc-oc-01\Administrator /p ****MASKED****/fo CSV
- For
- Example 1: Masking a string
Save your changes to the file and close it.
- Restart the peer. See Starting and stopping product components and services.
- Repeat this process for every peer on which you want to mask data in the log files.
Note
Parameters that contain the keyword "password" (for example, "password-type" or "password prompt") are masked in process requests as well as in the log files.
Comments
Log in or register to comment.