mtail icon indicating copy to clipboard operation
mtail copied to clipboard
verified publisher icon google

Providing a flag to hide log lines from the web interface

Open quatre opened this issue 6 years ago • 6 comments

Hello!

currently, mtail can expose log lines through the web interface (for example through the /progz endpoint) when they cause a program to fail (eg. by trying to compare a string with an int).

What is your opinion on having a command line flag that would prevent these log lines to be exposed through the web interface?

quatre avatar Mar 29 '20 11:03 quatre

Why do you want to turn that feature off?

On Sun, 29 Mar 2020, 22:51 Guillaume ESPANEL, [email protected] wrote:

Hello!

currently, mtail can expose log lines through the web interface (for example through the /progz endpoint) when they cause a program to fail (eg. by trying to compare a string with an int).

What is your opinion on having a command line flag that would prevent these log lines to be exposed through the web interface?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/mtail/issues/305, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXFX63M5IVKOYY2EQECJ3DRJ4Y47ANCNFSM4LV6CIOQ .

jaqx0r avatar Mar 29 '20 22:03 jaqx0r

In some cases, logs may contain sensitive information (think for example, a username, or an IP address) that would be better not to expose.

When things are working nicely, this shouldn't be a problem. But if the application log format changes and breaks the mtail program, it could become an information leak.

quatre avatar Mar 30 '20 10:03 quatre

Yep that makes sense. Do you not firewall the mtail port though?

On Mon, 30 Mar 2020, 21:37 Guillaume ESPANEL, [email protected] wrote:

In some cases, logs may contain sensitive information (think for example, a username, or an IP address) that would be better not to expose.

When things are working nicely, this shouldn't be a problem. But if the application log format changes and breaks the mtail program, it could become an information leak.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/google/mtail/issues/305#issuecomment-605922256, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXFX64TUQCYG5NX7TBNN6DRKBY7ZANCNFSM4LV6CIOQ .

jaqx0r avatar Mar 30 '20 22:03 jaqx0r

We sure would firewall it :p! But the people who have shell access to Prometheus (to edit its config for example) do not necessarily have access to sensitive logs.

quatre avatar Mar 31 '20 10:03 quatre

That's a good reason!

On Tue, 31 Mar 2020 at 21:18, Guillaume ESPANEL [email protected] wrote:

We sure would firewall it :p! But the people who have shell access to Prometheus (to edit its config for example) do not necessarily have access to sensitive logs.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/google/mtail/issues/305#issuecomment-606533144, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXFX64NECVPCDLJKE3EN2TRKG7P7ANCNFSM4LV6CIOQ .

jaqx0r avatar Apr 13 '20 00:04 jaqx0r

I reopened the original PR with a new branch. I also added an option to disable the /varz and /progz endpoints, as those could also leak some information that is not intended for public access as typically needed with prometheus.

robert-heinzmann-logmein avatar Jul 29 '22 16:07 robert-heinzmann-logmein