9.8 Filtering Sensitive Attributes

You can activate secure logging and expand the default filter list to mask sensitive information from the log file.

When you add an attribute to the filter list, you must include the display name as well as the attribute name in the directory server. The following procedure describes how to perform this task. In this example, you are instructed to filter the user's home phone number: display name Home Phone; attribute name homePhone. However, you can filter the attribute of your choice.


Each value added to FILTER_LIST increases the runtime cost of using Secure Logging.

Oracle recommends that you optimize the use of FILTER_LIST to reduce the runtime cost. For example, rather than adding two ParamName variations (User Password and userPassword), you could use only one. Using Password as the ParamName masks values for User Password, userPassword, and other words that end with Password. Also, instead of including both Home Phone and homePhone in FILTER_LIST, you could simply use Phone.

  1. Open the log configuration file in a text editor:


  2. In oblog_config_wg.xml:

    1. Confirm that secure logging is active. For example:

    2. Locate the FILTER_LIST parameter at the end of the file. For example:

          <ValNameList xmlns="http://www.oblix.com" ListName="FILTER_LIST">
             <NameValPair ParamName="password" Value="40" />
             <NameValPair ParamName="Password" Value="40" />
             <NameValPair ParamName="response" Value="40" />
             <NameValPair ParamName="Response" Value="40" />
    3. Add the display name to mask and the value for the mask length, then add the attribute and the value for the mask length. For example:

             <NameValPair ParamName="Home Phone" Value="300" />
             <NameValPair ParamName="homePhone" Value="300" />


      For testing, set the LOG_THRESHOLD_LEVEL and LOG_SECURITY_THRESHOLD_LEVEL to TRACE. See Step 6a.

    4. Confirm that LOG_THRESHOLD_LEVEL and LOG_SECURITY_THRESHOLD_LEVEL are at the same level or are consistent with each other, as described in Table 9-4. For example:

         <NameValPair ParamName="LOG_THRESHOLD_LEVEL" Value="LOGLEVEL_WARNING" /> 
         <NameValPair ParamName="LOG_SECURITY_THRESHOLD_LEVEL" Value="LOGLEVEL_
         WARNING" />
    5. Save the oblog_config_wg.xml file.

  3. Filtering User Password: Perform the following steps and see "Parameters in the WebGate Filter List":

    In the filter list in oblog_config_wg.xml, add the User Password display name and the corresponding attribute, and set the mask length for each. For example:

        <ValNameList xmlns="http://www.oblix.com" ListName="FILTER_LIST">
           <NameValPair ParamName="User Password" Value="40" />
           <NameValPair ParamName="userPassword" Value="40" />
  4. Test secure logging and filtering of sensitive information as follows:

    1. In the oblog_config_wg.xml file, set the LOG_THRESHOLD_LEVEL and LOG_SECURITY_THRESHOLD_LEVEL to TRACE:

         <NameValPair ParamName="LOG_THRESHOLD_LEVEL" Value="LOGLEVEL_TRACE" /> 
         <NameValPair ParamName="LOG_SECURITY_THRESHOLD_LEVEL" Value="LOGLEVEL_
         TRACE" />
    2. Perform a task that involves the component for which you have configured secure logging. For example:

      Access a resource

      View or modify the value of the attribute in the user's profile: Home Phone (if the filtered attribute is homePhone).

    3. Check the oblog and confirm that the filtered attribute value is masked by a string like ***********.


    4. In the oblog_config_wg.xml file, reset the LOG_THRESHOLD_LEVEL and LOG_SECURITY_THRESHOLD_LEVEL to the desired level for your enterprise.

    5. Adjust the mask length of filtered attributes if needed in the oblog_config_wg.xml file. For example:

          <NameValPair ParamName="Home Phone" Value="340" />
          <NameValPair ParamName="homePhone" Value="340"/>
  5. Repeat Steps 1 through 6 for each component in your deployment with one or more masked attributes.