[core.logging] Add RewriteAppender for filtering LogMeta.

[lukeelmers]

Closes #57547

Summary

Implements a RewriteAppender for the purposes of filtering / manipulating a LogRecord, as described in the original issue. The approach here is based on log4j2's RewriteAppender.

Each rewrite appender uses a designated policy which describes what part of the LogRecord to manipulate. This PR starts with a single meta policy for modifying LogMeta. The policy has a mode which can either be remove or update, and takes in a list of paths in the LogMeta object which are to be modified.

For the time being we are intentionally keeping this undocumented in the public docs in case we choose to make future changes, as the legacy filtering behavior was also undocumented.

Usage

Here's a full example configuration which logs both to the console and a log file, censoring the cookie request header from the http response logs:

logging:
  appenders:
    console:
      type: console
      layout:
        type: pattern
        highlight: true
        pattern: "[%date][%level][%logger] %message %meta"
    file:
      type: file
      fileName: ./kibana.log
      layout:
        type: json
    censor:
      type: rewrite
      appenders: [console, file]
      policy:
        type: meta
        mode: update
        properties:
          - path: "http.request.headers.cookie"
            value: "[REDACTED]"
  loggers:
    - name: http.server.response
      appenders: [censor]
      level: debug

The remove mode does not take a value as it simply deletes the provided path:

logging:
  appenders:
    censor:
      type: rewrite
      appenders: [console]
      policy:
        type: meta
        mode: remove
        properties:
          - path: "some.path.to.delete"

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[lukeelmers]

Currently all sensitive headers are filtered in the http response logging, and the filters cannot be disabled.

In this PR, I removed the filtering code from http, and here have "wrapped" our default console appender in a rewrite appender that performs the same logic.

However, there is one main caveat: While this ensures nothing sensitive is logged with a default configuration, the protection is gone as soon as you customize your config to use something other than the console appender. I tried to think of another way to enforce this more widely while also making it configurable, and I didn't come up with any great solutions that didn't involve creating another standalone config option. Open to suggestions though!

[mshustov]

While this ensures nothing sensitive is logged with a default configuration, the protection is gone as soon as you customize your config to use something other than the console appender. I tried to think of another way to enforce this more widely while also making it configurable, and I didn't come up with any great solutions that didn't involve creating another standalone config option.

That might be a reason not to use RewriteAppender internally to filter out sensitive data (but provide it as public API). We can either implement a custom filtering logic always applicable to http.request / http.response contexts. Or filter out sensitive properties when creating meta object https://github.com/elastic/kibana/blob/master/src/core/server/http/logging/get_response_log.ts

How it works now in the Legacy platform? Does it always censor the sensitive content?

[lukeelmers]

Or filter out sensitive properties when creating meta object

@restrry Yeah, that's the approach we take now, the only issue is that it can't be disabled, and IIRC this was one of the reasons we wanted a rewrite appender to begin with, for the case where we have a reason to allow sensitive headers through for support/debugging purposes.

That's why the only alternative that comes to mind is a new config option to disable filters, which would then be used inside the http response logger getResponseLog. But in the spirit of having One Way Of Doing Things (TM), it'd be nice to use the existing config if we can.

Actually, as I think about it, this is an issue that would possibly be solved by our discussion around having logger-specific default appender configurations.

How it works now in the Legacy platform? Does it always censor the sensitive content?

It filters them out by default (just authorization and cookie), but you can disable that using the (undocumented) logging.filter settings - e.g. logging.filter.cookie=none to remove filter from that header in hapi/good.

kibana/packages/kbn-legacy-logging/src/get_logging_config.ts

Lines 53 to 60 in 72670eb

	// I'm adding the default here because if you add another filter
	// using the commandline it will remove authorization. I want users
	// to have to explicitly set --logging.filter.authorization=none or
	// --logging.filter.cookie=none to have it show up in the logs.
	filter: _.defaults(config.filter, {
	authorization: 'remove',
	cookie: 'remove',
	}),

[mshustov]

Yeah, that's the approach we take now, the only issue is that it can't be disabled, and IIRC this was one of the reasons we wanted a rewrite appender to begin with, for the case where we have a reason to allow sensitive headers through for support/debugging purposes.

I'd say it's nice to have. It is better to not add such a feature than to add it but with the possibility of sensitive data leakage due to incorrect configuration:

 While this ensures nothing sensitive is logged with a default configuration,
the protection is gone as soon as you customize your config to use something other than the console appender. 

Actually, as I think about it, this is an issue that would possibly be solved by our discussion around having logger-specific default appender configurations.

Are you implying that we can hide the Meta object from the logs? The pattern does not apply to json layout.

[lukeelmers]

I'd say it's nice to have. It is better to not add such a feature than to add it but with the possibility of sensitive data leakage due to incorrect configuration

Fair point, so do you think we should:

1. Keep the hardcoded filtering of sensitive header fields, meaning we can't turn those off for debugging purposes
2. Go with option 1 but also introduce a new config flag to disable this for debugging purposes (e.g. logging.filterSensitiveHttpHeaders or whatever). The flag would default to true but could be disabled if someone wanted to use a custom rewrite appender.
3. Some other option I'm not thinking of?

Ideally I'd like to not introduce another config flag, but I'm also unsure of how we could otherwise make it possible to disable the filtering.

Are you implying that we can hide the Meta object from the logs?

No, sorry that was a bit vague. I meant if we went the route of having predefined default appender configurations on a per-logger basis (similar to the ES config file), then this would be another use case for those and would solve this problem. But if we go the simpler route of removing the meta from the pattern by default, that won't help us in this case.

[mshustov]

Keep the hardcoded filtering of sensitive header fields, meaning we can't turn those off for debugging purposes

As for me, it's an acceptable trade-off. Any other opinions? @joshdover @pgayvallet @TinaHeiligers

[lukeelmers]

Yeah the more I think about it, the hardcoded approach feels like the safest option for the time being. And then if we were to consider an enhancement in 8.x to support logger-specific appender defaults as discussed in #90457, it would allow us to move these settings there anyway.

[TinaHeiligers]

@lukeelmers

For the time being we are intentionally keeping this undocumented in case we choose to make future changes, as the legacy filtering behavior was also undocumented.

While I understand that the initial implementation is pretty much a MVP, IMHO, I must disagree with not documenting the RewriteAppender in at least the dev docs. Being able to censor/filter sensitive data is a powerful feature, even at an MVP stage and I envisage it leading to some head scratching down the line when folks are using logs for debugging.

The fact the filtering in the LP isn't documented shouldn't hold us back from doing the right thing, at least at the dev level.

[lukeelmers]

@TinaHeiligers I'm perfectly comfortable documenting this for devs -- I think the only reason we previously decided to make this internal was because the legacy filtering is also undocumented and we wanted to reserve the right to make changes in the future (or decide whether we want to support this functionality long-term at all).

Since we don't yet have proper docs on the new logging system, I will just add a mention to the README for now and clarify that it's experimental/internal.

[mshustov]

I can't find MetaRewritePolicy in log4j http://logging.apache.org/log4j/2.x/manual/appenders.html#RewritePolicy
Do we call so because we apply a policy to Meta object only?

[TinaHeiligers]

I think MetaRewritePolicy is a combined modification of log4j's MapRewritePolicy and PropertiesRewritePolicy where we're using the type field and the properties field rather than the keyValuePair in MetaRewritePolicy and we're allowing fields to be added too ( what PropertiesRewritePolicy does). And, yes, the policy is applied to the meta property. It's hard to tell though because our implementation isn't a 1-to-1 with log4j.

[lukeelmers]

Do we call so because we apply a policy to Meta object only?

Yeah exactly, they have a map and properties rewrite policy, so I called this meta as it is only scoped to the LogMeta. With this pattern, in the future we could have something like a message or level policy that will rewrite those items specifically.

[mshustov]

While this ensures nothing sensitive is logged with a default configuration, the protection is gone as soon as you customize your config to use something other than the console appender. I tried to think of another way to enforce this more widely while also making it configurable, and I didn't come up with any great solutions that didn't involve creating another standalone config option.

That might be a reason not to use RewriteAppender internally to filter out sensitive data (but provide it as public API). We can either implement a custom filtering logic always applicable to http.request / http.response contexts. Or filter out sensitive properties when creating meta object https://github.com/elastic/kibana/blob/master/src/core/server/http/logging/get_response_log.ts

How it works now in the Legacy platform? Does it always censor the sensitive content?

[TinaHeiligers]

I went through the initial implementation and it seems to make sense. I tried to pull the code and run it locally but keep hitting a config error on start up (probably local).

I'd really like to see something in the README on the final implementation though.

[TinaHeiligers]

I think MetaRewritePolicy is a combined modification of log4j's MapRewritePolicy and PropertiesRewritePolicy where we're using the type field and the properties field rather than the keyValuePair in MetaRewritePolicy and we're allowing fields to be added too ( what PropertiesRewritePolicy does). And, yes, the policy is applied to the meta property. It's hard to tell though because our implementation isn't a 1-to-1 with log4j.

[lukeelmers]

I tried to pull the code and run it locally but keep hitting a config error on start up (probably local).

I'll update the README, but the example config I gave in the PR description should be working without an error if you want to play around with it.

[TinaHeiligers]

... but the example config I gave in the PR description should be working without an error if you want to play around with it.

A direct copy-paste throws the following:

/Users/christianeheiligers/Projects/kibana/packages/kbn-config-schema/target/out/types/literal_type.js:17
    handleError(type, { value, valids: [expectedValue] }) {
                        ^
TypeError: Cannot destructure property 'value' of 'undefined' as it is undefined.

Changing kind to type gets rid of that but also doesn't work directly:

/Users/christianeheiligers/Projects/kibana/packages/kbn-config-schema/target/out/types/type.js:51
            throw new errors_1.ValidationError(error, namespace);
                  ^
Error: [config validation of [logging].appenders.file]: types that failed validation:
- [config validation of [logging].0.type]: expected value to equal [console]
- [config validation of [logging].1.fileName]: expected value of type [string] but got [undefined]
- [config validation of [logging].2.type]: expected value to equal [legacy-appender]
- [config validation of [logging].3.type]: expected value to equal [rewrite]
- [config validation of [logging].4.type]: expected value to equal [rolling-file]

Removing the file appender solves that. What am I missing in the config?

[lukeelmers]

Ah sorry @TinaHeiligers, I added that example before #90764 was merged and some of the properties were renamed. I've updated now, let me know if you hit any issues.

[pgayvallet]

Few NITS, overall looking great

[mshustov]

optional: It's good we enforce immutability, but we pay the extra cost when cloning the array. IMO we can assume that no-one mutates the array.

[lukeelmers]

@elasticmachine merge upstream

[lukeelmers]

@elasticmachine merge upstream

[TinaHeiligers]

This is a great addition to our new logging system and even though we're not using the implementation in the default config right now, it's going to be super useful when we get around to #92082.
LGTM!

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: fb23cb1
• Storybooks Preview

Metrics [docs]

✅ unchanged

History

• 💔 Build #108933 failed 102d490
• 💚 Build #108932 succeeded 3d2a945
• 💚 Build #108584 succeeded dcee4b9
• 💚 Build #108243 succeeded e0f4c58
• 💚 Build #108086 succeeded a6632ee

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @lukeelmers

[kibanamachine]

💚 Backport successful

✅ 7.x / #92724

Successful backport PRs will be merged automatically after passing CI.