9
Views
6
Comments
OutSystems Integration Logs - Obfuscate/Remove sensitive data in request or response
Application Type
Mobile

Hi, 

we have a bank application and we do not want our sensitive data to be logged in service studio 

Is there any way this information can be obfuscated/removed/masked in case an admin starts logging the requests/responses of the service in the Production environment for soap API`````````````s?  

Is there any other solution for this case?

Rank: #312

Hi Ahmad, 

The Log database is read-only so you cannot change the contents after they have been logged. For your API's, make sure to set the log level in the module where they are created. Then make sure you restrict access to service center tightly enough that people without the right clearance are unable to change these settings. Use LifeTime to set the rights of developers/administrators to restrict their abilities of hide certain applications from them at all. 


See https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Manage_IT_Users/Understand_the_Permission_Model_for_IT_Users For more info.

Rank: #1100

Hi, 

Thank you for your answer but unfortunately it’s not what i am looking for 

Our case is we need to log the data but masked for example the credit card numder or the account number,etc 

And we do not want to give our IT users access to our environment services center 


we are looking for creating a new application and then fetch the log from the build in log entity in OutSystems.

Also on behalf of our security department having such data in OutSystems build in log entity is not acceptable at all.

What i am looking for is a sensitive value attribute for the inputs or the outputs of the api such as the current available one for consume rest API 

Rank: #312

In that case, it is currently impossible with the OutSystems platform to accomplish this. But with the correct settings, no logging of the request content is done. Only a log saying that the request has been performed.

Rank: #1100

I do Found a work around solution but the thing is it causes a performance issue as the API takes long time to finish.

Thats why i have raised this question 

Thank you 

Rank: #2840

Curious what your workaround is!  We had a similar requirement where security wanted to record the data from all requests, but have passwords, etc. obfuscated.  I ended up adding a log table to save the records they wanted but still control the content.  It worked fine for our smaller apps but it did not scale so we abandoned the effort for the high traffic application.

Rank: #1100

Simply disable the automatic logging from OutSystems and inside the API do whatever you want to your data and then call log build-in action.


but the main issue here is the performance for the API and we have almost 400 API`S so it's a pain to ass to implement this logic for each.