Replacing multiple values in logback

Question

I am trying to replace multiple values in logback logger which logs Cassandra CQL statements and used example from this post: Mask sensitive data in logs with logback

where invocation of %replace function is used:

%replace(  %replace(%msg){'regex1', 'replacement1'}  ){'regex2', 'replacement2'}

In my case I want to replace 3 fields - name, last name and password. Statement used is:

%replace(%replace(%replace(%msg){"first_name='.*'", "first_name='xxxxx'"}){"last_name='.*'", "last_name='yyyyyy'"}){"password='.*'", "password='zzzzzz'"}%n

It seemed to work ok, but I noticed that if order of fields is different, values are removed sometimes. For example,

1) when statement is in this order it is ok:

Executed:

UPDATE usertest.users SET password='secret_pw', last_name='Smith', first_name='John' where user_id = 1745;

Logged:

UPDATE usertest.users SET password=zzzzzz, last_name=yyyyyy, first_name=xxxxx where user_id = 1745;

2) In this case last name is removed

Executed:

UPDATE usertest.users SET password='secret_pw', first_name='John', last_name='Smith' where user_id = 1745;

Logged:

UPDATE usertest.users SET password=zzzzzz, first_name=xxxxx where user_id = 1745;

3) In this case password is removed

Executed:

UPDATE usertest.users SET last_name='Smith', password='secret_pw', first_name='John' where user_id = 1745;

Logged:

UPDATE usertest.users SET last_name=yyyyyy, first_name=xxxxx where user_id = 1745;

Could someone advice why it could happen and how it could be fixed or is there any other way to solve?

Answer 1

This is an issue with the regex pattern picking up more than you intend it to, so the replaces are overwriting each other.

I reproduced the issue you saw, and then changed the regex to include just alphanumerics (\w instead of .) so the pattern looks like this:

%replace(  %replace(  %replace(%msg){"first_name='\w*'", "first_name='xxxxx'"}  ){"last_name='\w*'", "last_name='yyyyyy'"}  ){"password='\w*'", "password='zzzzzz'"}%n

Here are some tests:

UPDATE usertest.users SET password='secret_pw', last_name='Smith', first_name='John' where user_id = 1745;
UPDATE usertest.users SET last_name='Smith', first_name='John', password='secret_pw' where user_id = 1745;
UPDATE usertest.users SET first_name='John', password='secret_pw', last_name='Smith' where user_id = 1745;
UPDATE usertest.users SET first_name='John', last_name='Smith', password='secret_pw' where user_id = 1745;

And the logging results:

Received: QUERY UPDATE usertest.users SET password='zzzzzz', last_name='yyyyyy', first_name='xxxxx' where user_id = 1745;[pageSize = 100], v=4/v4
Received: QUERY UPDATE usertest.users SET last_name='yyyyyy', first_name='xxxxx', password='zzzzzz' where user_id = 1745;[pageSize = 100], v=4/v4
Received: QUERY UPDATE usertest.users SET first_name='xxxxx', password='zzzzzz', last_name='yyyyyy' where user_id = 1745;[pageSize = 100], v=4/v4
Received: QUERY UPDATE usertest.users SET first_name='xxxxx', last_name='yyyyyy', password='zzzzzz' where user_id = 1745;[pageSize = 100], v=4/v4

Answer 2

There is no need to use nested replace directive here. Just use regex alternation with a capture group like this:

%replace(%msg){"(first_name|last_name|password)='\w+'", "$1='****'"}

(first_name|last_name|password) is a capture group that matches any one of the 3 fields in the group and captures the matched value in group#1 that we are using in replacement as $1.