How to Implement Secure and Compliant Log Management Standards

1. Purpose and Basis

Log information is one of the main tools developers use to troubleshoot production issues; this specification establishes effective and accurate troubleshooting, monitoring rules, and data security for log information.

2. Scope

The regulation applies to all system development projects.

3. Basic Principles

The maintenance rights of the system's

log4j.xml

/

log4j.xml.vm

configuration files belong to the system owner, who must not allow others to modify them arbitrarily. System owners are responsible for training developers on log standards and must review log configurations before a new system goes live.

Log development must adhere to the following principles:

Log output must not affect normal system operation.

Log output must not create security issues.

Logs must not contain company confidential information.

Logs must enable developers to locate the true cause of problems.

Logs must be usable for automated monitoring and analysis.

Log usage must meet security audit requirements.

4. Specification Content

4.1 Log File Definition

Log file names should be concise and clearly reflect the content; error logs must be written to

error.log

(webx system) or

common-error.log

. All online error logs should generate reports and be tracked for resolution within a defined timeframe.

Business processes that may cause data loss and financial impact must record remote disaster‑recovery logs to ensure traceability and rapid recovery.

Signature logs must be stored separately from non‑critical application logs and backed up independently.

4.2 Log File Retention

Raw logs are retained for 14 days by default; when disk space is insufficient, administrators delete older logs based on creation time and collect raw logs into a centralized storage system for management.

Application Log Retention Requirements

The retention period is determined by the business data contained in the log. If a log contains multiple business data types, the longest required retention applies, and the retention period is indicated in the log name.

Typical retention periods:

Authentication logs: 90 days online, 5 years total.

Transaction logs: 90 days online, 5 years total.

Critical data modification logs: 90 days online, 5 years total.

Other logs: 90 days both online and total.

Operating System and Component Log Retention

System logs: 1 year.

Apache logs: 3 months online, 1 year total.

4.3 Log Content Rules

Log4j defines six levels: TRACE, DEBUG, INFO, WARN, ERROR, FATAL. Production systems only log INFO level and above; DEBUG is logged only in test environments.

Prohibited practices:

Direct use of

System.out

,

System.err

, or

e.printStackTrace()

.

Using STDOUT/STDERR as logger names.

Including passwords, SMS codes, payment codes, ID numbers, or bank card numbers in log messages.

Including bank keys, merchant keys, or other secret information.

Any failure of logging code is unacceptable.

4.4 Security Log Management

Security‑related business logs must be as complete as possible and generated uniformly by the framework to ensure consistency. The framework provides:

Request parameter logging filter (optional).

Business description report API (requires application to report business type).

Exception description report API (requires application to report exceptions).

Log content must be desensitized according to the following principles:

Never log passwords, keys, or other highly sensitive data (e.g., login passwords, SMS codes, encryption keys, session IDs).

For personal and bank card information, only partial content may be logged.

Sensitive information categories and masking rules include:

Passwords/credentials: completely prohibited, even MD5 hashes.

Keys: encryption keys, private signing keys, HMAC keys – prohibited.

Credit card numbers: only first 6 and last 4 digits may be shown; full numbers are never logged.

Identity numbers: show first and last digit only.

Phone numbers: mask middle digits according to region‑specific rules.

Email addresses: show first three characters before “@”, then three asterisks.

Addresses: mask district‑to‑door‑number portion.

Names: mask leading characters based on length.

Vehicle VIN: show first three and last three characters.

IP/MAC addresses: retain only the first segment.

License plates: show region and last three characters, mask the rest.

4.5 Fund Log Management

Any operation involving fund flow must record a fund loss log, retained for 7 days by default (shorter retention allowed for high‑volume systems). Required fields include business document number, operation type (pay, refund, freeze, transfer), global UUID, amount, payer and payee accounts, and any additional platform‑specific information.

4.6 Monitoring Log Management

Critical business operations must generate monitoring logs containing date, business identifier, execution time, success/failure status, and business name, and each log must be fed into the business monitoring system.

4.7 Performance Log Management

Complex or performance‑sensitive interfaces should record performance logs using the company's unified performance logging tool.