Encrypted logger for Java

Question

I'll put the question upfront:

Is there a logger available in Java that does encryption(preferably 128-bit AES or better)?

I've done a lot of searching for this over the last couple of days. There's a few common themes to what I've found:

• Dissecting information between log4j and log4j2 is giving me headaches(but mostly unrelated to the task at hand)
• Most threads are dated, including the ones here on SO. This one is probably the best I've found on SO, and one of the newer answers links to a roll-your-own version.
• The most common answer is "roll-your-own", but these answers are also a few years old at this point.
• A lot of people question why I or anyone would do this in Java anyway, since it's simple enough to analyze Java code even without the source.

For the last point, it's pretty much a moot point for my project. We also use a code obfuscator and could employ other obfuscation techniques. The point of using encryption is simply to raise the bar of figuring out our logs above "trivially easy", even if it's only raised to "mildly time-consuming". A slightly relevant aside - the kind of logging we're going to encrypt is intended merely for alpha/beta, and will likely only include debug, warn, and error levels of logging(so the number of messages to encrypt should be fairly low).

The best I've found for Log4j2 is in their documentation:

KeyProviders

Some components within Log4j may provide the ability to perform data encryption. These components require a secret key to perform the encryption. Applications may provide the key by creating a class that implements the SecretKeyProvider interface.

But I haven't really found anything other than wispy statements along the lines of 'plug-ins are able of doing encryption'. I haven't found a plug-in that actually has that capability.

I have also just started trying to find other loggers for Java to see if they have one implemented, but nothing is really jumping out for searches like 'java logging encryption'.

Answer 1

Basically log encryption is not best practise there are limited situations where you can need this functionality. As mainly people which have access to logs have also access to JVM, and in JVM all the logs are at least generated as Strings so even if you encrypt them in the log file or console the real values will be available in JVM String Pool, so if anyone will every need to hack your logs it will be as easy as have a look in string pool.

But anyway if you need a way to encrypt the logs, and as there is no generic way for this, the best way in my opinion is to go with Aspect J. This will have minimum impact on you sources, you will write code as you have done before, but the logs will be encrypted. Following is a simple application code which will encrypt all the logs from all the compiled sources using Aspctj, and Slf4j as logging facade and Log4j2 as logging implementation.

The simple class which logs the "Hello World"

public class Main {

    private static final transient Logger LOG = LoggerFactory
        .getLogger(Main.class);

    public static void main(String[] args) {
        LOG.info("Hello World");
        LOG.info("Hello {0}", "World 2");
    }

}

Aspect which encrypts (in this case just edits the text)

@Aspect
public class LogEncryptAspect {

    @Around("call(* org.slf4j.Logger.info(..))")
    public Object encryptLog (ProceedingJoinPoint thisJoinPoint) throws Throwable{
         Object[] arguments = thisJoinPoint.getArgs();
         if(arguments[0] instanceof String){
             String encryptedLog = encryptLogMessage ((String) arguments[0], arguments.length > 1 ? Arrays.copyOfRange(arguments, 1, arguments.length) : null);
            arguments[0] = encryptedLog;
         }
            
        return thisJoinPoint.proceed(arguments);
    }
    // TODO change this to apply some kind of encryption    
    public final String encryptLogMessage (String message, Object... args){
        if(args != null){
            return MessageFormat.format(message, args) + " encrypted";
        }
        return message + " encrypted";
    }

}

The output is :

[main] INFO xxx.Main - Hello World encrypted

[main] INFO xxx.Main - Hello World 2 encrypted