Nlog: Password masking

This is currently not possible out of the box, but I think you can implement it in a few lines - depending on the case.

What do you mean with password masking? Passwords that in the NLog configuration, or log outputs that contains sensitive data like password, or another?

Good question @UgurAldanmaz , I assumed the latter.

If I push a message into the pipeline of NLog, and attach an exception to it. Anything that is pushed out to any logger would not show password={my super secret password from my connection string}; or "password": "super secret password my user submitted"

Not sure how to explain this further.

You can use the replace layout renderer for that (with regex)

https://github.com/NLog/NLog/wiki/Replace-Layout-Renderer

Can you please provide an example of setting this layout up? How would it work for dumping stack traces, inner exceptions, etc. I'm not replacing the password= portion of password=mysecretpassword, i'm trying to make it look like password=****** in these scenarios.

How about using a regex lookbehind and lookahead? Maybe something like (?<=password=').*?(?=')

@dealproc Did it work?

got side tracked. trying to get to vs2015, but will get back to this shortly.

OK,

The regex (?<=password=').*?(?=') works, but it needs then quotes. E.g. password='mysecretpassword'. password=mysecretpassword wont work. Not sure if that's correct.

You need after all something like this: (< needs to be replaced)

${replace:searchFor=(?<=password=').*?(?='):replaceWith=******:regex=true:inner=${message}}

If there performance is important, I would advise to write a custom replace which doesn't use a regex.

If the password is not surrounded by quotes, but followed by a semicolon, you can try (?<=password=).*?(?=;)

@dealproc any success on this?

Let us know if this is still an issue.

I know this is an old thread.. but it's the only one on this masking issue.

I want to be able to search for a JSON formatted key value pair and apply masking.
Key/value pairs are both in double quotes and separated by a colon.

{"members":[{"password":"139347","Id":55}]}
want to convert to {"members":[{"password":"******","Id":55}]}

I assume double quotes need to be escaped like this (")

${replace:searchFor=(?<="password":").*?(?="):replaceWith=******:regex=true:inner=${message}

[]http://www.convertstring.com/EncodeDecode/HtmlDecode# tells me that I have the syntax correct:
Converts to:

${replace:searchFor=(?<="password":").*?(?="):replaceWith=******:regex=true:inner=${message}

However the replace layout renderer replaces the entire message with blank.

@304NotModified Are you able to reopen this issue, or do you want to start another thread?

please a new issue and link to this one, thanks!

I know this is an old thread but maybe this is helpful to someone. I have created this pattern primarily to remove passwords in connections strings (but could also be easily adjusted to match other/similar patterns):

It replaces passwords in the following format:

Case-insensitive password variable:

Password=myPassword
password=myPassword

Different line endings:

Password=myPassword (with nothing to follow)
Password=myPassword; (followed by semicolon)
Password=myPassword this a continuation (followed by space)

This is the pattern I have used: (?i)(?<=password=)(.*?)(?=(\;|$| ))
I used this to test it against: https://regex101.com/

This is what it translates to in an NLog variable:

<variable name="replacePasswords" value="${replace:searchFor=(?i)(?&lt;=password=)(.*?)(?=(\;|$| )):replaceWith=******:regex=true:inner=${message}}" />

And this is how I used it as part of my Database logger:

<parameter name="@Message" layout="${replacePasswords}" />

Hope this helps.