Hiding sensitive request data when using convertReqRes

[lancegliser]

I'm currently using { convertReqRes: true } to fill out the ECS fields. Lovely addition, thanks for it! But, I do have one problem. I've got some headers that shouldn't slip through to my Kibana users, such as authorization: bearer {token}.

I've got my own formatter for Winston I'm using after this one, and I can see the data you've produced at info Symbol(message), but not message. I can't actually get into Symbol(message), as it's private by design. How should I get that data obscured or removed?

[trentm]

@lancegliser Hi, thanks for the ticket. Sorry for the delay.

I started a draft PR with a possible solution for this. Basically I split the ecsFormat functionality into two: (a) gather the ECS fields in one formatter, then (b) do the JSON stringification in another one. That allows one to use winston.format.combine() to place another Winston formatter in the middle that handles redaction. See #65 for details.

Here is an example usage: https://github.com/elastic/ecs-logging-nodejs/blob/trentm/winston-redact/loggers/winston/examples/redact-fields.js#L83-L91 One could have a simple formatter that simply hardcodes censoring the "http.request.headers.authorization" field. However, I played with a Winston formatter that uses the fast-redact module for generic redaction (as the pino logger does for its redact feature).

Would you be willing to give this a try? I can roll this into a release soon.

[lancegliser]

I left some comments about this on the PR #65 on Apr 8. My mistake. Should I keep comments here, or on the PR?

[lancegliser]

Good morning @trentm.

We closed out the serialization issue last week. Tried installing the additions today, but it appears the branch that separates is still outstanding. Needing anything from me here?

[trentm]

Hello @lancegliser. I am good. I am working my way through a number of issues and plan to get to this one soon.