Hide Selected Data in Logs

Security Benefits

This feature prevents unauthorized users from seeing particular data in the output of log messages. Where logs are distributed to another party, such as for troubleshooting purposes, this feature enables you to hide confidential data that you do not want the other party to see. This feature is also useful for preserving the confidentiality of data provided to you by third parties, which might be attached to the logs.

Supporting Components

This feature is supported by the following Genesys components:

Management Framework
Media and Network T-Servers
Load Distribution Server
Outbound Contact Server
Interaction Concentrator (ICON)
Federated
Universal Contact Server
Universal Routing Server
Orchestration Server
eServices (partial)
Enterprise SDK
Interaction SDK
Real Time Metrics Engine
Genesys Mobile Services

This following Genesys components support this feature in part or in a similar manner:

SIP Server, except for data that appears in a SIP header
Stat Server, in a non-standard way. For more information, refer to Stat Server-specific documentation.
Platform SDK (PSDK), in a non-standard way. For more information, refer to PSDK-specific documentation.
Workspace Desktop Edition (formerly known as Interaction Workspace). For configuration details of this feature in Workspace Desktop Edition, refer to the Workspace Desktop Edition Deployment Guide.
IVR Connector handles logging of attached data on T-Library events and messages using standard T-Server configuration as described in T-Server-specific documentation. However, to avoid logging attached data in XML messages within the XML interface, use the hide-xml-udata configuration option as described in IVR Connector-specific documentation.
Genesys Voice Platform (GVP) supports hiding Voice XML (VXML) variables by using PRIVATE variables. For more information, refer to GVP documentation.

Feature Description

This feature enables you to hide selected KV pairs in the User Data, Extensions, and Reasons attributes of log messages generated by a Genesys component. You can choose to hide just the value itself by replacing it with a series of asterisks (*), or you can remove the whole KV pair from the log output.

Starting in release 8.0, you can also hide only part of the value in a particular KV pair. This provides the intended security, but with enough data to use for tracking field values, if necessary.

Starting in release 8.1, you can mark the selected KV pairs with specific characters (called tags), which enable the log message to be parsed by downstream applications and the marked data hidden. Default tags are provided (<# for a prefix and #> for a postfix), and you can define your own custom tags of up to 16 characters, if required.

Feature Configuration

This section describes how to configure this feature, along with some examples of hiding data in the different ways made possible by the feature. For detailed descriptions of the configuration options used to configure this feature, refer to the Framework Configuration Options Reference Manual.

This feature can be used to hide information in the User Data, Extensions, and Reasons attributes of the log. The implementation is the same for all three attributes.

This feature is implemented by defining the following configuration options in the server Application object:

default-filter-type in the [log-filter] section defines the treatment for all KV pairs in the User Data, Extensions, and Reasons attributes. This setting will be applied to the attributes of all KVList pairs in the attribute except those that are explicitly defined in the [log-filter-data] section.
One or more <key-name> options in the [log-filter-data] section define the treatment for specific keys in the log, overriding the default treatment specified by default-filter-type. If no value is specified for this option, no additional processing of this data element is performed.

The default settings of the options enable all data to be visible in the log.

Important

For T-Server Application objects, if the T-Server common option log-trace-flags is set to -udata, it will disable writing of user data to the log regardless of the settings of any options in the [log-filter-data section]. Refer to the documentation for your particular T-Server for information about the log-trace-flags option.

Examples

This section provides examples of using the options to define settings (default-filter-type) for the entire log, and settings (<kv-pair>) specific to a KV pair. For simplicity, the examples show only the use of the feature to hide information in the User Data attribute.

Default Settings

This example uses the default settings. Note that all data is visible in the log.

[log-filter]
default-filter-type=copy

message RequestSetCallInfo
   AttributeConsultType       3
   AttributeOriginalConnID    008b012ece62c8be
   AttributeUpdateRevision    2752651
   AttributeUserData          [111] 00 27 01 00
          ‘DNIS'              '8410'
          ‘PASSWORD'          '111111111'
          'RECORD_ID'         '8313427'
   AttributeConnID            008b012ece62c922

Masking Partial Values

This example replaces the first three characters of every key value with three asterisks (***).

[log-filter]
default-filter-type=hide-first,3

message RequestSetCallInfo
   AttributeConsultType       3
   AttributeOriginalConnID    008b012ece62c8be
   AttributeUpdateRevision    2752651
   AttributeUserData          [111] 00 27 01 00
          ‘DNIS'              '***0'
          ‘PASSWORD'          '***111111'
          'RECORD_ID'         '***3427'
   AttributeConnID            008b012ece62c922

Using Default Tags

This example uses the default tags <# and #>. Note that all KV pairs in the User Data attribute are identically tagged.

[log-filter]
default-filter-type=tag()

message RequestSetCallInfo
   AttributeConsultType       3
   AttributeOriginalConnID    008b012ece62c8be
   AttributeUpdateRevision    2752651
   AttributeUserData          [111] 00 27 01 00
          ‘DNIS'              <#'8410'#>
          ‘PASSWORD'          <#'111111111'#>
          'RECORD_ID'         <#'8313427'#>
   AttributeConnID            008b012ece62c922

Using User-defined Tags for All Attributes

This example uses the user-defined tags <** and **>. Note that all KV pairs in the User Data attribute are identically tagged.

[log-filter]
default-filter-type=tag(<**,**>)
message RequestSetCallInfo
   AttributeConsultType       3
   AttributeOriginalConnID    008b012ece62c8be
   AttributeUpdateRevision    2752651
   AttributeUserData          [111] 00 27 01 00
          ‘DNIS'              <**'8410'**>
          ‘PASSWORD'          <**'111111111'**>
          'RECORD_ID'         <**'8313427'**>
   AttributeConnID            008b012ece62c922

Masking Individual Values in Selected KV Pairs

This example replaces the value of the PASSWORD key with a series of asterisks (****).

[log-filter-data]
PASSWORD=hide

message RequestSetCallInfo
   AttributeConsultType       3
   AttributeOriginalConnID    008b012ece62c8be
   AttributeUpdateRevision    2752651
   AttributeUserData          [111] 00 27 01 00
          ‘DNIS'              '8410'
          ‘PASSWORD'          '****'
          'RECORD_ID'         '8313427'
   AttributeConnID            008b012ece62c922

Masking Partial Values in Selected KV Pairs

This example replaces all but the last five characters of the PASSWORD key with a series of asterisks (****).

[log-filter-data]
PASSWORD=unhide-last,5

message RequestSetCallInfo
   AttributeConsultType       3
   AttributeOriginalConnID    008b012ece62c8be
   AttributeUpdateRevision    2752651
   AttributeUserData          [111] 00 27 01 00
          ‘DNIS'              '8410'
          ‘PASSWORD'          '****11111'
          'RECORD_ID'         '8313427'
   AttributeConnID            008b012ece62c922

Tagging Specific KV Pairs with Default Tags

This example tags the value of the PASSWORD key with the default tags <# and #>. Note that the values of the other keys are not tagged.

[log-filter-data]
PASSWORD=tag()

message RequestSetCallInfo
   AttributeConsultType       3
   AttributeOriginalConnID    008b012ece62c8be
   AttributeUpdateRevision    2752651
   AttributeUserData          [111] 00 27 01 00
          ‘DNIS'              '8410'
          ‘PASSWORD'          <#'1234'#>
          'RECORD_ID'         '8313427'
   AttributeConnID            008b012ece62c922

Tagging Specific KV Pairs with User-defined Tags

This example tags the value of the PASSWORD key with the user-defined tags . Note that the values of the other keys are not tagged.

[log-filter-data]
PASSWORD=tag(<!--,-->)

message RequestSetCallInfo
   AttributeConsultType       3
   AttributeOriginalConnID    008b012ece62c8be
   AttributeUpdateRevision    2752651
   AttributeUserData          [111] 00 27 01 00
          ‘DNIS'              '8410'
          ‘PASSWORD'          <!--'1234'-->
          'RECORD_ID'         '8313427'
   AttributeConnID            008b012ece62c922

Tagging Individual KV Pairs with Different Tags

This example tags the value of the PASSWORD key with user-defined tags , and the value of the RECORD_ID key with default tags <# and #>. Note that the values of the other keys are not tagged.

[log-filter-data]
PASSWORD=tag(<!--,-->)
RECORD_ID= tag()

message RequestSetCallInfo
   AttributeConsultType       3
   AttributeOriginalConnID    008b012ece62c8be
   AttributeUpdateRevision    2752651
   AttributeUserData          [111] 00 27 01 00
          ‘DNIS'              '8410'
          ‘PASSWORD'          <!--'1234'-->
          'RECORD_ID'         <#'8313427'#>
   AttributeConnID            008b012ece62c922