Mask fields based on log level

[fdw]

We'd like to log as little sensitive information as possible. However, we also noticed that we do need certain information in error cases. Currently, we make this work by only setting the information in the error case, but that leads to inconsistencies.

What I'd love to do is to save even sensitive information automatically, all the time, in the MDC, but only log it out if the level is 'ERROR` (for example). That way, we could be sure that there is no sensitive information in the normal flow, but in error cases, we have all the information we need in a consistent formatting.

I have not found any information on whether masking (or another mechanism) can do this.

[philsttr]

While logstash-logback-encoder does not have first-class support for this use case, you can accomplish it by creating a custom JsonProvider.

If the sensitive information is contained within well-known MDC properties, then take the following approach:

1. Prevent the sensitive fields from being logged by the standard MDC json provider via excludeMdcKeyName. See here or here, depending on which encoder you are using.
2. Create a new custom JsonProvider that inspects the log level of the LoggingEvent, and writes those sensitive MDC fields only if the log level is error
3. Configure the encoder to use your new custom JsonProvider

[fdw]

Thank you, works perfectly :)

If anyone else wants to do this, I extended the AbstractFieldJsonProvider.