In situations where the parameters in the messages may contain sensitive information that could pose a security risk if displayed in the logs, the GLU.Engine generates two types of logs that require controlled value representation:
1) logs that include parameters in the ‘PAYLOAD’ and
2) logs that print parameters as ‘PARAM’.
The masking of sensitive data in log entries can be controlled by configuring the PAYLOAD and PARAM log masking.
The PAYLOAD log masking is managed at the transaction level, while the PARAM log masking is managed at the parameter configuration level. It is important to note that while the PAYLOAD log masks only parameters in the PAYLOAD when printed in the log, the mask does not affect the unmarshalled value.
To mask the unmarshalled value, a mask for the full string as it appears in the logs must be added.
Then the PARAM log will be masked in the values when un-marshalled.
To mask PAYLOAD values, the ‘Mask PAYLOAD Values in Logs‘ field in the Transaction Manager Panel can be used to define the ‘tags‘ for any values that need to be masked, along with the GLU reserved word “GLU_MASK” (e.g. “username”:”GLU_MASK”).
This will replace the value for “username” with “**********”.
Since tags are used, any payload value can be masked, not just the parameter values within the payload.
The tags to be masked can be copied from the payload template configuration and will vary depending on the payload type (e.g. XML, JSON, SQL call, etc.).
NOTE: the GLU_MASK value used is the full line, so if you complete the line entry with “username”: “GLU_MASK”, the value will also be included in the masking of username – e.g. “**********”.
To mask PARAM values, the “Mask PARAM Value in Logs” checkbox (which by default is ‘checked’) must be unchecked.
Any payload tag (PAYLOAD logs) or parameter name (PARAM logs) that is configured to be masked will be masked in in all logs (INFO, WARN, DEBUG etc.) for all logs associated with a particular transaction.