Skip to content

Commit

Permalink
Do not advise TLS off for any logging service
Browse files Browse the repository at this point in the history 
This encourages people to send their query texts and the like as
plaintext over the Internet!  A quizzical customer pointed this out,
for a service where the only thing necessary to do was to change the
port and check the box, Logentries.

I since have doubled-back and verified:

* LogDNA
* Logentries / Rapid7 insightOps (acquired name)
* Loggly
* Papertrail

Two of the other providers require their certificate be installed;
thus, this patch must come after
citusdata/cloudplane#957 is deployed.
Logentries uses GoDaddy and does not give cert bundle guidence,
Papertrail provides a cert bundle, but it is also a major vendor and
handled by the Mozilla bundle.

I suppose in principle it might be nice if the customer could define
the CA expected, or we only installed necessary certs for the vendor
selected, but, alas: complexity, and the current situation is much
worse.

Unfortunately, so far, we have been unable to turn up any rationale
for why we were so lackadaisical about TLS in our guidance: it simply
always was and passed without detectable remark in pull requests,
commit texts, comments, and emails.

The two times this could have been detected were when the CloudPlane
stuff was committed -- I was the reviewer, and could have asked why
TLS was optional -- and when the manual was updated to include the
three TLS-free provider directives.  Unlike obliged SOC2 procedures
nowadays, CloudCon's commit of this was unilateral. It was in Aug
2016, and the first customers were Apr 2016 or so.

Some hyperlinks from when Mistakes Were Made:

#413
citusdata/cloudcon#45
citusdata/cloudplane#145
  • Loading branch information
@jonels-msft
Daniel Farina authored and jonels-msft committed Oct 17, 2019
1 parent 3d7938f commit 378d387
Showing 1 changed file with 20 additions and 20 deletions.
40 changes: 20 additions & 20 deletions cloud/logging.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,26 +43,26 @@ Replace :code:`<token>` with the custom token listed in the provider's web site.

**Papertrail**

+------------------+-------------------------+
| Hostname | logs4.papertrailapp.com |
+------------------+-------------------------+
| Port | 19493 |
+------------------+-------------------------+
| TLS | Yes |
+------------------+-------------------------+
| Protocol | IETF Syslog |
+------------------+-------------------------+
| Message Template | |
+------------------+-------------------------+
+------------------+---------------------------+
| Hostname | logs<N>.papertrailapp.com |
+------------------+---------------------------+
| Port | port defined per account |
+------------------+---------------------------+
| TLS | Yes |
+------------------+---------------------------+
| Protocol | BSD Syslog |
+------------------+---------------------------+
| Message Template | |
+------------------+---------------------------+

**Loggly**

+------------------+------------------------------------------------------------------------------------------------------+
| Hostname | logs-01.loggly.com |
+------------------+------------------------------------------------------------------------------------------------------+
| Port | 514 |
| Port | 6514 |
+------------------+------------------------------------------------------------------------------------------------------+
| TLS | No |
| TLS | Yes |
+------------------+------------------------------------------------------------------------------------------------------+
| Protocol | BSD Syslog over TCP |
+------------------+------------------------------------------------------------------------------------------------------+
Expand All @@ -83,16 +83,16 @@ Replace :code:`<token>` with the custom token listed in the provider's web site.
| Message Template | ``<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [<token>@41123] $MSG\\n`` |
+------------------+-------------------------------------------------------------------------------------+

**Logentries**
**Logentries** / **Rapid7 insightOps**

+------------------+------------------------------------+
| Hostname | data.logentries.com |
| Hostname | us.data.logs.insight.rapid7.com |
+------------------+------------------------------------+
| Port | 80 |
| Port | 443 |
+------------------+------------------------------------+
| TLS | No |
| TLS | Yes |
+------------------+------------------------------------+
| Protocol | IETF Syslog |
| Protocol | BSD |
+------------------+------------------------------------+
| Message Template | ``<token> $ISODATE $HOST $MSG\\n`` |
+------------------+------------------------------------+
Expand All @@ -102,9 +102,9 @@ Replace :code:`<token>` with the custom token listed in the provider's web site.
+------------------+------------------------------------------------------------------------------------------------------+
| Hostname | syslog-a.logdna.com |
+------------------+------------------------------------------------------------------------------------------------------+
| Port | 514 |
| Port | 6514 |
+------------------+------------------------------------------------------------------------------------------------------+
| TLS | No |
| TLS | Yes |
+------------------+------------------------------------------------------------------------------------------------------+
| Protocol | BSD Syslog over TCP |
+------------------+------------------------------------------------------------------------------------------------------+
Expand Down

0 comments on commit 378d387

Please sign in to comment.