Hiding the display of secure data in log files

BMC Atrium Orchestrator masks several commonly identified data items in log files, such as passwords. Instead of the actual data being displayed, the log files includes a masked string, such as the following: ****MASKED****.

BMC Atrium Orchestrator masks the following keywords in log files:

  • identity-password
  • passphrase

  • pass-phrase

  • password

  • secret-key

You can mask other data items in logs by editing the log_config.xml files. In these files you can specify the following:

  • The replacement strings that you want to use when masking data in log files.
  • Patterns to search for and replace in log files.

You can also mask a password used in command lines so that they do not appear in the log file in the request and response lines in log files. You can mask passwords with the /p and /pwd flags.

Note

Password masking is supported with use of 20.15.01 content and later. If you are using earlier content releases, some passwords may not be masked.

The instructions in this page describe using regular expressions (regex). For more information about regex, refer to the following documentation:

  • The Java Tutorials Regular Expressions
  • Regular-Expressions.info Regular Expressions Quick Start

The following BMC Communities video (5:53) demonstrates how to mask secure information in BMC Atrium Orchestrator logs.

 https://youtu.be/wB4wdG27s9Q

Each peer in your BMC Atrium Orchestrator environment has a log_config.xml file. You can edit this file for each peer (for example, the CDP, HA-CDP, APs, LAPs, OCP, Development Studio) on which you want to hide data in log files. The log_config.xml file looks like the following example before you modify it:

<log-config> 
   <replacement-string></replacement-string> 
   <patterns>   
       <mask-pattern></mask-pattern>
   </patterns>
</log-config>

In these instructions, AO_HOME represents the directory in which you installed BMC Atrium Orchestrator components on a server (such as the CDP, HA-CDP, APs, LAPs, OCP, Development Studio).

To edit a log_config.xml file to mask data in logs

  1. Navigate to the AO_HOME/config directory and edit the log_config.xml file.

  2. Locate the <log-config> section and provide the following information: the replacement string used to replace secure data and the data patterns (mask-pattern) to search for and replace, using the following example for guidance: 

    • Example 1: Masking a string
      • For replacement-string, provide any valid replacement string regex to represent the string used to replace the secure data. For example, 
        $1$2****MASKED****$3
      • For mask-pattern, provide any valid regex to represent the data pattern you want to replace. For example: 

        (&lt;.*?certificate.*?)(&gt;)[^&lt;]+(&lt;/.*?&gt;)

        After updating the file, it will look like the following example:

        <log-config> 
           <replacement-string>$1$2****MASKED****$3</replacement-string> 
           <patterns>   
               <mask-pattern>(&lt;.*?certificate.*?)(&gt;)[^&lt;]+(&lt;/.*?&gt;)</mask-pattern>
           </patterns>
        </log-config>

        This example causes all parameters with the name "certificate" to be masked in the logs (for example,  <certificate>dir</certificate> will appear as <certificate>****MASKED****</certificate> in the log files.

    • Example 2: Masking a password in a command line 
      • For replacement-string, provide any valid replacement string regex to represent the string used to replace the secure data (the password in this case). For example,
        <replacement-string>$1****MASKED****</replacement-string
      • For mask-pattern, provide any valid regex to represent the data pattern you want to replace (the password). For example: 
        (/p )(.*?)( )
        After updating the file, it will look like the following example:

        <log-config> 
           <replacement-string>$1****MASKED****</replacement-string> 
           <patterns>   
               <mask-pattern>(/p )(.*?)( )</mask-pattern>
           </patterns>
        </log-config>

        This example causes all passwords with the /p flag to be masked in the logs. For example, the password Asimil8 in the following line:
        systeminfo /s sjc-oc-01.eng.remedy.com /u sjc-oc-01\Administrator /p Asimil8 /fo CSV
        will appear as ****MASKED**** in the log file, as shown in the following line:
        systeminfo /s sjc-oc-01.eng.remedy.com /u sjc-oc-01\Administrator /p ****MASKED****/fo CSV 

  3. Save your changes to the file and close it.

  4. Restart the peer. See Starting and stopping product components and services.
  5. Repeat this process for every peer on which you want to mask data in the log files.

Note

Parameters that contain the keyword "password" (for example, "password-type" or "password prompt") are masked in process requests as well as in the log files.