-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Providing a flag to hide log lines from the web interface #305
Comments
Why do you want to turn that feature off?
…On Sun, 29 Mar 2020, 22:51 Guillaume ESPANEL, ***@***.***> wrote:
Hello!
currently, mtail can expose log lines through the web interface (for
example through the /progz endpoint) when they cause a program to fail (eg.
by trying to compare a string with an int).
What is your opinion on having a command line flag that would prevent
these log lines to be exposed through the web interface?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#305>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXFX63M5IVKOYY2EQECJ3DRJ4Y47ANCNFSM4LV6CIOQ>
.
|
In some cases, logs may contain sensitive information (think for example, a username, or an IP address) that would be better not to expose. When things are working nicely, this shouldn't be a problem. But if the application log format changes and breaks the mtail program, it could become an information leak. |
Yep that makes sense. Do you not firewall the mtail port though?
…On Mon, 30 Mar 2020, 21:37 Guillaume ESPANEL, ***@***.***> wrote:
In some cases, logs may contain sensitive information (think for example,
a username, or an IP address) that would be better not to expose.
When things are working nicely, this shouldn't be a problem. But if the
application log format changes and breaks the mtail program, it could
become an information leak.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#305 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXFX64TUQCYG5NX7TBNN6DRKBY7ZANCNFSM4LV6CIOQ>
.
|
We sure would firewall it :p! |
That's a good reason!
…On Tue, 31 Mar 2020 at 21:18, Guillaume ESPANEL ***@***.***> wrote:
We sure would firewall it :p!
But the people who have shell access to Prometheus (to edit its config for
example) do not necessarily have access to sensitive logs.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#305 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXFX64NECVPCDLJKE3EN2TRKG7P7ANCNFSM4LV6CIOQ>
.
|
I reopened the original PR with a new branch. I also added an option to disable the /varz and /progz endpoints, as those could also leak some information that is not intended for public access as typically needed with prometheus. |
Hello!
currently, mtail can expose log lines through the web interface (for example through the /progz endpoint) when they cause a program to fail (eg. by trying to compare a string with an int).
What is your opinion on having a command line flag that would prevent these log lines to be exposed through the web interface?
The text was updated successfully, but these errors were encountered: