> I don't see why the log shouldn't be able to store similar information. Depending on where you live, logging such information may be an illegal act (breach of Data Protection, data misuse) or breaking of industry regulations (e.g. recording the 3 security digits from the back of a credit card). Log files are not always as controlled in the same way as other systems, nor does it really need to be. The admin who manages the servers and can lift the log files may or may not be the same admin who maintains (say) the bank's databases.
Then there is the aspect of international law. It might be legal in the USA to log personally identifiable information, but in Europe you may already be getting into trouble if you did so. And if that log file was sent to someone outside of Europe, then your company would almost certainly be in breach and in very serious trouble indeed. > If we go down the path you're suggesting, one should also not store this > information in a database! Correct. And some information should NOT be stored in a database. A common example is credit card information, most companies are simply not permitted to hold certain card info after the transaction is successful. Uncyphered passwords is another example. I have seen system which log usernames and passwords into log files. If the FDA saw that happening at a drugs company in the USA, they'd throw a blue fit! > But logging the fact they made a bill payment for $5,000 can be useful > if they call up later after something goes wrong. That information should still not be in a log file IMHO (privacy), the transaction will certainly be recorded somewhere much more appropriate (having worked in the banking sector, I never once had to use the log file for such information; I just looked at the transaction records directly.) If such information does need logged, that logging now falls under the realm of a business process and will be subject to a completely different set of rules set by the client. Whilst I am sure that you could use Log4J in this case, more than likely you would be using something else as you are likely to be logging into a business system. I work with software which does this. On certain events we need to "log" who did what and why. This is done into the fully locked down audit system of the content repository, not into an easily modifiable text file. Normal log files are there to aid the support team in diagnosing what is causing the user problems (be it user error, excessive load or a bug). These log file should not be used to record vital business operational, audit or other information. There are other system much more suited to those jobs (as mentioned above). Right, please excuse me whilst I clamber off this soap box... J. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
