我们有一个 quarkus 应用程序,它公开 api 端点以接收包含文件的请求并将文件上传到 S3 存储桶。
当应用程序根日志级别设置为 DEBUG 且发送请求时,应用程序日志将打印安全令牌、凭据以及文件内容和文件名等信息。
我们如何禁用此功能?
我们不希望应用程序日志包含这些信息,即使日志级别设置为DEBUG。
以下是示例日志。
2024-09-23 06:38:15 DEBUG \[io.ne.ha.lo.LoggingHandler\] (aws-java-sdk-NettyEventLoop-0-1) \[id: 0x775d66e9\] REGISTERED 2024-09-23 06:38:15 DEBUG \[io.ne.ha.lo.LoggingHandler\] (aws-java-sdk-NettyEventLoop-0-1) \[id: 0x775d66e9\] CONNECT: test-bucket.s3.ap-south-1.amazonaws.com/52.219.64.101:443 2024-09-23 06:38:15 DEBUG \[io.ne.ha.lo.LoggingHandler\] (aws-java-sdk-NettyEventLoop-0-1) \[id: 0x775d66e9, L:/192.168.3.254:50328 - R:test-bucket.s3.ap-south-1.amazonaws.com/52.219.64.101:443\] ACTIVE 2024-09-23 06:38:15 DEBUG \[io.ne.ha.lo.LoggingHandler\] (aws-java-sdk-NettyEventLoop-0-1) \[id: 0x775d66e9, L:/192.168.3.254:50328 - R:test-bucket.s3.ap-south-1.amazonaws.com/52.219.64.101:443\] WRITE: software.amazon.awssdk.http.nio.netty.internal.NettyRequestExecutor$StreamedRequest(DefaultHttpRequest(decodeResult: success, version: HTTP/1.1) PUT /0148ffa2-52c0-11ec-ae45-02b72c6380ad/1727073495061-testfile.txt HTTP/1.1 Host: test-bucket.s3.ap-south-1.amazonaws.com amz-sdk-invocation-id: d455aa4e-4a17-0a54-8340-12aeaa515ab2 amz-sdk-request: attempt=1; max=4 Authorization: AWS4-HMAC-SHA256 Credential=ASIA3NWURXFPB7MDWNVL/20240923/ap-south-1/s3/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-meta-contenttype;x-amz-meta-uploadedfilename;x-amz-security-token, Signature=50f108e5685ad5ea34e668e386d34a7d503e99e8b2339eb4eba8b6eb3022296 Content-Length: 58
我尝试使用 log4j2 属性来过滤具有某些关键字的日志,如下所示:
## \<Appenders\>
## \<!-- Console appender --\>
## \<Console name="Console" target="SYSTEM_OUT"\>
## \<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} %-5p \[%c{2.}\] (%t) %s%e%n"/\>
## \<!-- Regex filter to block specific DEBUG logs --\>
## \<Filters\>
## \<RegexFilter regex="^.\*\\\[so.am.aw.requestId\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>
## \<RegexFilter regex="^.\*\\\[so.am.aw.co.in.ExecutionInterceptorChain\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>
## \<RegexFilter regex="^.\*\\\[so.am.aw.request\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>
## \<RegexFilter regex="^.\*\\\[so.am.aw.co.in.ht.pi.st.AsyncSigningStage\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>
## \<RegexFilter regex="^.\*\\\[so.am.aw.ht.au.aw.in.si.DefaultV4RequestSigner\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>
## \<!-- Filter to exclude DEBUG level logs --\>
## \<LevelFilter level="DEBUG" onMatch="ACCEPT" onMismatch="DENY"/\>
## \</Filters\>
## \</Console\>
## \</Appenders\>
但这也没有帮助。
我什至尝试使用java类来过滤特定日志,但它仍然不起作用,下面是示例:
// Define the patterns you want to block/mask
private static final String[] BLOCK_PATTERNS = {
"so.am.aw.requestId",
"so.am.aw.co.in.ExecutionInterceptorChain",
"so.am.aw.request",
"so.am.aw.co.in.ht.pi.st.AsyncSigningStage",
"so.am.aw.ht.au.aw.in.si.DefaultV4RequestSigner",
"sof.ama.aws.requestId",
"sof.ama.aws.request",
"sof.ama.aws.cor.int.ExecutionInterceptorChain",
"sof.ama.aws.htt.aut.aws.int.sig.DefaultV4RequestSigner",
"sof.ama.aws.cor.int.htt.pip.sta.SigningStage"
};
protected LogMaskingConverter(String name, String style) {
super(name, style);
}
// This method is used by Log4J's engine. Do not remove it.
public static LogMaskingConverter newInstance(final Configuration config, final String[] options) {
return new LogMaskingConverter("maskLogs", Thread.currentThread().getName());
}
@Override
public void format(LogEvent event, StringBuilder outputMessage) {
// Retrieve the log message
String messageString = event.getMessage().getFormattedMessage();
// Check if the message contains any blocked pattern
for (String pattern : BLOCK_PATTERNS) {
if (messageString.contains(pattern)) {
// Mask or block the log message by replacing it with a placeholder
outputMessage.append("[SENSITIVE DATA MASKED]");
return;
}
}
// If no pattern matches, append the original log message`your text`
outputMessage.append(messageString);
您不会在日志消息中找到“so.am.aw.request”,因为它不是日志消息的一部分。日志消息只是日志event的一部分,它描述了发生的事情,例如“[id: 0x775d66e9] REGISTERED” 并由
%m
模式转换器 打印。请参阅消息了解更多详情。
“so.am.aw.request”是记录器名称的缩写形式(“software.amazon.awssdk.request”)。每个记录器都可以单独配置(请参阅记录器配置),您所需要做的就是将其配置为比
DEBUG
更严格的级别。亚马逊有一个有关线路日志记录的指南,它会告诉您需要启用或禁用哪些记录器。
<Loggers>
...
<!--
~ Loggers involved in wire logging,
~ do **NOT** enable `DEBUG` on production.
-->
<Logger name="software.amazon.awssdk.request" level="WARN" />
<Logger name="io.netty.handler.logging" level="WARN" />
<Logger name="io.netty.handler.codec.http2.Http2FrameLogger" level="WARN" />
</Loggers>