Hi,
I'm supposed to be logging a "commercial" transaction object (e.g. the request/response of a credit card processing gateway).
Someone mentioned using log4net to store that... but it just doesn't feel right, especially given that some information (i.e. properties on the object) need to be either omitted entirely or massaged (e.g. only log the last 4 digits of the credit card involved in the transaction).
I was thinking more of a custom "ITransactionLogger". Thoughts?
The main problem I would have with log4net is that you can control the output target for logging through a configuration file. If someone accidentally or purposely changes that configuration file, sensitive financial data will be exposed.
I usually am a big fan of not reinventing the wheel, but in this case you need a logging solution that has minimal configuration points and tight control.
I would say that you are doing "auditing" not "logging", in that you are producing data of business significance. This implies that the data needs to be managed, backed-up etc. All those things that databases give you. For the sake of clarity I would use a separate auditing API.
You can create custom formatter for specific object/exception in log4net. I would try that to log your transaction objects that specifically omits the credit card detail.