views:

44

answers:

3

I have a security tool that sends users their new password through email. The production email module (that I don’t own and don’t want to change) will log the entire html email message body using Log4Net when the threshold is VERBOSE. Since the email contains a domain user’s password in clear text, I would like to remove the password from the log messages before it reaches the appenders.

Is there a way for me to temporary insert an object into the Log4Net stack that would allow me to search the LoggingEvent message and alter it to mask out any passwords that I find? I’d like to insert the object, call the email module, and then remove the object.

A: 

log4net is open source, you can modify it.

TTT
A: 

You can try intercepting the calls to log4net using the Unity Application Block method interceptor. Or you could write a custom log4net appender.

TMN
A: 

I would probably write a pattern converter. You can find an example here. Your implementation could be like this:

protected override void Convert(TextWriter writer, LoggingEvent loggingEvent)
{
    string msg = loggingEvent.RenderedMessage;
    // remove the password if there is any
    writer.Write(msg);
}
Stefan Egli