Skip to content

Filtering

Jump to bottom Edit New page
August Detlefsen edited this page Jun 27, 2017 · 3 revisions

Filters can be used to route different types of log events to different logs, or to prevent certain types of information from being written to logs. The OWASP Security Logging API provides the following filters:

  • ExcludeClassifiedMarkerFilter - Used to exclude classified information from being written to application log files.
  • MarkerFilter - Generic filter to include or exclude log statements based on Markers.
  • SecurityMarkerFilter - Routes security log events to a separate log appender.

Filters are added to <appender> definitions in the LOGBack configuration file (logback.xml). The following appender creates a regular application log. The application log should show application events and security events, but not classified events. The ExcludeClassifiedMarkerFilter is used to drop events marked with any of the information classification security markers:

<appender name="APP_CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
    <filter class="org.owasp.security.logging.filter.ExcludeClassifiedMarkerFilter"/>
    <encoder>
        <pattern>%date [%thread] [%marker] %-5level - %mask%n</pattern>
    </encoder>
</appender>

The following appender represents a separate application log for security. It should only display security events. The SecurityMarkerFilter is used to only accept security events:

Logback:
<appender name="SECURITY_CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
    <filter class="org.owasp.security.logging.filter.SecurityMarkerFilter"/>
    <encoder>
        <pattern>%date [%thread] [%marker] %-5level - %message%n</pattern>
    </encoder>
</appender>
Log4J:
<Console name="SecureConsole" target="SYSTEM_OUT">
  <PatternLayout pattern="SECURITY %d{HH:mm:ss.SSS} %marker [%t] %-5level %logger{36} - %encode{%msg}%n"/>
  <Filters>
      <SecurityMarkerFilter />
  </Filters>
</Console>

This appender is only for events that have been marked as CONFIDENTIAL. It uses the generic MarkerFilter to look for log events that contain the CONFIDENTIAL Marker. If a match is found, the event is accepted into the log. Otherwise the event is dropped:

<appender name="CONFIDENTIAL_CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
    <filter class="org.owasp.security.logging.filter.MarkerFilter">
        <marker>CONFIDENTIAL</marker>
        <onMatch>ACCEPT</onMatch>
        <onMismatch>DENY</onMismatch>
    </filter>
    <encoder>
        <pattern>CONFIDENTIAL %date [%thread] [%marker] %-5level - %msg%n</pattern>
    </encoder>
</appender>
Add a custom footer
Add a custom sidebar
Clone this wiki locally