Hello Team,

Recently we have got an use case of masking the client sensitive information over the PegaRules logs. 

Problem statement :

What we log:

We are trying to log customer sensitive data and it can be customer id/email id any other PII data.

How we log the message:

1. Using Log-Message method over an activity

2. Using pxLogMessage OOTB function over an activity/ data transform.

What can be the message format?

The message format either it :

1. A single line text which contains the parameters or properties of a step page.

2. An xml page which can be a request page before we trigger an integration call

3. A json page which can be a request page before we trigger an integration call.

Which pega version do we use?

Pega infinity 

What do we need to achieve?

We would like to mask the PII data over the PegaRULES Logs.

What solutions we have tried ?

1. We tried encrypting the data over the logs by writing a custom function to encrypt the plain text passed over the pxLogMessage ootb function.

Feasibility:

We were able to encrypt the complete log message and we were able to decrypt it as well.

Business outcome/Metrics outcome:

Since we feel this is restricting the debugging capability as we may have to decrypt completely to know the whole log message and the whole purpose of debugging / hiding the PII data alone is getting defeated.

So, this solution wasn't accepted.

2. We relied on Attribute based access control to mask / encrypt the relevant PII specific properties.

Feasibility:

We were able to achieve in masking/ encrypting by using PropertyRead/ PropertyEncrypt methodologies.

Business outcome/metrics outcome:

We may have to cascade /set up a structure every time when an new application gets onboarded to follow the practice of creation of ABAC for their application specific PII data to be masked/ encrypted basically it requires developer attention.

Also, this had limitation while using the same PII properties to be used for validations post imposing ABAC on it, like we were unable to use it for decision making during flows or any other validation rules too.

Hence even this solution wasn't accepted.

3. We tried a practice of imposing regex pattern match over the PegaRules log by customizing prlog4j2.xml which we tried this once over personal edition which we got to know it was implemented in one of a On-premise application that was running on 8.6 above. [Refer: SampleConfig.xml file] or given below

<?xml version="1.0" encoding="UTF-8"?> <Configuration status="warn">     <Appenders>

<Console name="CONSOLE" target="SYSTEM_OUT">             <PatternLayout pattern="%d [%20.20t] [%10.10X{pegathread}] [%20.20X{tenantid}] [%20.20X{app}] (%30.30c{3}) %-5p %X{stack} %X{userid} - %replace{%m%n}{(The First name is )\S+}{****}%n"</>                         <Filters>                 <ThresholdFilter level="ALERT" onMatch="DENY" onMismatch="NEUTRAL"/>             </Filters>         </Console>

        <RollingRandomAccessFile  name="PEGA" fileName="${sys:pega.logdir}/PegaRULES.log" filePattern="${sys:pega.logdir}/PegaRULES-%d{MM-dd-yyyy}-%i.log.gz">             <PatternLayout>                 <Pattern>%d [%20.20t] [%10.10X{pegathread}] [%20.20X{tenantid}] [%20.20X{app}] (%30.30c{3}) %-5p %X{stack} %X{userid} - %replace{%m%n}{(The First name is )\S+}{****}%n"</Pattern>                 </PatternLayout>

Feasibility:

We were able to achieve in masking the relevant pattern/ variable match just like a given sample (this is not the actual pii variable but still a trial check been done)Recommendation required:

Since our application is on Pega infinity, can we implement the above solution by writing a regex pattern match with all of our relevant PII data formats which are in place. 

Do Pega systems recommend/ agree in package this file with our relevant patterns been written ?

If Yes to above question:

If Pegasystems has already agreed this solution in recent past, how long it took to get this exercise done?

If any one of you have done this exercise in recent past, do we have any support ticket so that we can refer considering the equivalence of your scenario with our scenario so that it will give Pegasystems a good outlook of the issue?

If No to the question given above:

Does Pegasystems have similar strategy of having the masking PII data been done via an additional file that is extended from prlog4j2.xml?

Does Pegasystems has different approach for masking PII data over the prlog4j2.xml file update?

Does Pegasystems has another approach of not even relying on any file updates?

If anyone of the above question satisfies the requirement of achieving masking PII data through any your previous experience through support ticket please provide the same or even if a contact from Pegasystems can let us know which channel/ distribution list are suitable POC to get this query addressed as well.

We would like to get this solution discussed/agreed between the Pegasystems and our platform hosting team to understand the solution is always inline with platform upgrades which may happen in future too.

We appreciate your suggestions and help on this issue.