Selective logging in Mulesoft Anypoint Runtime to safeguard sensitive information
I recently got into a situation where I was logging payloads in Anypoint Runtime and realized that the payload contained sensitive information (Email, SSN, etc.). However, this information is highly useful as we are developing applications for debugging purposes but it’s quite a hassle to enable/disable logs and re-deploy applications in lower environment when troubleshooting issues.
Like any other product or language, Mulesoft offers a solution for this problem. When printing the logs, you can define the LEVEL of log, e.g. INFO (default), DEBUG, ERROR, etc. The default option INFO would always print the logs in runtime. However, logs that are tagged with a different level, e.g. DEBUG would not be printed in runtime unless enabled. The solution to the problem is to add logs that contain sensitive/PII information in with Level set to DEBUG and only enable these logs in the lower environment as needed. The only drawback (which isn’t a big deal here) is that you may end up printing certain logs twice — a INFO log that would log the state of the transaction or whatever you were intending to print (non-sensitive) and a DEBUG log right after that would contain the payload/header/auth or any other sensitive information that you would like to peek at as needed.
Here are the steps to implement selective logging in Mule Anypoint Runtime:
- Add a log with Level set to INFO to print the state of the transaction
2. Add a DEBUG level log where you can now print the entire payload. There’s a lot of personalisation that you can do here depending on your needs. e.g. my payload had the authorization credentials that I didn’t really need for debugging purposes so I stripped them off so I won’t print auth info in the logs even in the lower environment which is generally considered a good practice, specially if the system you are connecting to doesn’t belong to you and is owned by your customer or a 3rd party.
Don’t forget to add the Category here for your DEBUG log and I’ll show you why this is useful.
3. On the Runtime environment where you would like to display the sensitive logs (possibly your lower environment like DEV), navigate to your Runtime Manager > {ENV} > Applications > {Your-Application} > Settings and click on the Logging tab. The default would look like this where all INFO level logs are being displayed:
Select DEBUG from the dropdown and set the package.name value to com.domain (whatever you entered in Step 2) for Category while setting up the DEBUG log. Click on Apply Changes and the changes should take affect and you should start seeing the DEBUG logs in addition to the INFO logs in the lower environment where you enabled these logs.
