-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password masking #1155
Comments
This is currently not possible out of the box, but I think you can implement it in a few lines - depending on the case. |
What do you mean with password masking? Passwords that in the NLog configuration, or log outputs that contains sensitive data like password, or another? |
Good question @UgurAldanmaz , I assumed the latter. |
If I push a message into the pipeline of NLog, and attach an exception to it. Anything that is pushed out to any logger would not show Not sure how to explain this further. |
You can use the replace layout renderer for that (with regex) |
Can you please provide an example of setting this layout up? How would it work for dumping stack traces, inner exceptions, etc. I'm not replacing the |
How about using a regex lookbehind and lookahead? Maybe something like |
@dealproc Did it work? |
got side tracked. trying to get to vs2015, but will get back to this shortly. |
OK, The regex You need after all something like this: (
If there performance is important, I would advise to write a custom replace which doesn't use a regex. |
If the password is not surrounded by quotes, but followed by a semicolon, you can try |
@dealproc any success on this? |
Let us know if this is still an issue. |
I know this is an old thread.. but it's the only one on this masking issue. I want to be able to search for a JSON formatted key value pair and apply masking.
I assume double quotes need to be escaped like this (")
[]http://www.convertstring.com/EncodeDecode/HtmlDecode# tells me that I have the syntax correct:
However the replace layout renderer replaces the entire message with blank. |
@304NotModified Are you able to reopen this issue, or do you want to start another thread? |
please a new issue and link to this one, thanks! |
I know this is an old thread but maybe this is helpful to someone. I have created this pattern primarily to remove passwords in connections strings (but could also be easily adjusted to match other/similar patterns): It replaces passwords in the following format: Case-insensitive password variable:
Different line endings:
This is the pattern I have used: This is what it translates to in an NLog variable: <variable name="replacePasswords" value="${replace:searchFor=(?i)(?<=password=)(.*?)(?=(\;|$| )):replaceWith=******:regex=true:inner=${message}}" /> And this is how I used it as part of my Database logger: <parameter name="@Message" layout="${replacePasswords}" /> Hope this helps. |
Alternative you could ensure that the sensitive-data is encapsulated in a custom class/struct. Ex. Then let the class implement Alternative one can make use of RegisterObjectTransformation for the custom |
@excelthoughts Did you manage to resolve your issue with the entire message being blank, I have exactly the same issue :( |
@andygarratt your regex is maybe wrong? Please test, for example on https://regex101.com |
This is very helpful for me but i have a scenario where the logs can have password row logs like this: Password=myPassword In other words, in addition to the equal (=) character, I could have the password string followed by a colon (:) or double quote ("). I tried to modify the regex in this way |
I guess you need to xml escape it. Or set it from code (e.g. C#) |
What is the state of capabilities for NLog to mask passwords as part of writing to the different sinks? Is it something that the application author is responsible for, or is there room for extension of the logging framework to provide for this?
The text was updated successfully, but these errors were encountered: