当日志级别设置为 DEBUG 时,aws sdk java 2.x 正在打印必要的文件内容

问题描述 投票:0回答:1

我们有一个 quarkus 应用程序,它公开 api 端点以接收包含文件的请求并将文件上传到 S3 存储桶。

当应用程序根日志级别设置为 DEBUG 且发送请求时,应用程序日志将打印安全令牌、凭据以及文件内容和文件名等信息。

我们如何禁用此功能?

我们不希望应用程序日志包含这些信息,即使日志级别设置为DEBUG。

以下是示例日志。

2024-09-23 06:38:15 DEBUG \[io.ne.ha.lo.LoggingHandler\] (aws-java-sdk-NettyEventLoop-0-1) \[id: 0x775d66e9\] REGISTERED 2024-09-23 06:38:15 DEBUG \[io.ne.ha.lo.LoggingHandler\] (aws-java-sdk-NettyEventLoop-0-1) \[id: 0x775d66e9\] CONNECT: test-bucket.s3.ap-south-1.amazonaws.com/52.219.64.101:443 2024-09-23 06:38:15 DEBUG \[io.ne.ha.lo.LoggingHandler\] (aws-java-sdk-NettyEventLoop-0-1) \[id: 0x775d66e9, L:/192.168.3.254:50328 - R:test-bucket.s3.ap-south-1.amazonaws.com/52.219.64.101:443\] ACTIVE 2024-09-23 06:38:15 DEBUG \[io.ne.ha.lo.LoggingHandler\] (aws-java-sdk-NettyEventLoop-0-1) \[id: 0x775d66e9, L:/192.168.3.254:50328 - R:test-bucket.s3.ap-south-1.amazonaws.com/52.219.64.101:443\] WRITE: software.amazon.awssdk.http.nio.netty.internal.NettyRequestExecutor$StreamedRequest(DefaultHttpRequest(decodeResult: success, version: HTTP/1.1) PUT /0148ffa2-52c0-11ec-ae45-02b72c6380ad/1727073495061-testfile.txt HTTP/1.1 Host: test-bucket.s3.ap-south-1.amazonaws.com amz-sdk-invocation-id: d455aa4e-4a17-0a54-8340-12aeaa515ab2 amz-sdk-request: attempt=1; max=4 Authorization: AWS4-HMAC-SHA256 Credential=ASIA3NWURXFPB7MDWNVL/20240923/ap-south-1/s3/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-meta-contenttype;x-amz-meta-uploadedfilename;x-amz-security-token, Signature=50f108e5685ad5ea34e668e386d34a7d503e99e8b2339eb4eba8b6eb3022296 Content-Length: 58

我尝试使用 log4j2 属性来过滤具有某些关键字的日志,如下所示:

## \<Appenders\>

## \<!-- Console appender --\>

## \<Console name="Console" target="SYSTEM_OUT"\>

## \<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} %-5p \[%c{2.}\] (%t) %s%e%n"/\>

## \<!-- Regex filter to block specific DEBUG logs --\>

## \<Filters\>

## \<RegexFilter regex="^.\*\\\[so.am.aw.requestId\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>

## \<RegexFilter regex="^.\*\\\[so.am.aw.co.in.ExecutionInterceptorChain\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>

## \<RegexFilter regex="^.\*\\\[so.am.aw.request\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>

## \<RegexFilter regex="^.\*\\\[so.am.aw.co.in.ht.pi.st.AsyncSigningStage\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>

## \<RegexFilter regex="^.\*\\\[so.am.aw.ht.au.aw.in.si.DefaultV4RequestSigner\\\].\*" onMatch="DENY" onMismatch="NEUTRAL"/\>

## \<!-- Filter to exclude DEBUG level logs --\>

## \<LevelFilter level="DEBUG" onMatch="ACCEPT" onMismatch="DENY"/\>

## \</Filters\>

## \</Console\>

## \</Appenders\>

但这也没有帮助。

我什至尝试使用java类来过滤特定日志,但它仍然不起作用,下面是示例:

// Define the patterns you want to block/mask
private static final String[] BLOCK_PATTERNS = {
        "so.am.aw.requestId",
        "so.am.aw.co.in.ExecutionInterceptorChain",
        "so.am.aw.request",
        "so.am.aw.co.in.ht.pi.st.AsyncSigningStage",
        "so.am.aw.ht.au.aw.in.si.DefaultV4RequestSigner",
        "sof.ama.aws.requestId",
        "sof.ama.aws.request",
        "sof.ama.aws.cor.int.ExecutionInterceptorChain",
        "sof.ama.aws.htt.aut.aws.int.sig.DefaultV4RequestSigner",
        "sof.ama.aws.cor.int.htt.pip.sta.SigningStage"
};

protected LogMaskingConverter(String name, String style) {
    super(name, style);
}

// This method is used by Log4J's engine. Do not remove it.
public static LogMaskingConverter newInstance(final Configuration config, final String[] options) {
    return new LogMaskingConverter("maskLogs", Thread.currentThread().getName());
}

@Override
public void format(LogEvent event, StringBuilder outputMessage) {
    // Retrieve the log message
    String messageString = event.getMessage().getFormattedMessage();

    // Check if the message contains any blocked pattern
    for (String pattern : BLOCK_PATTERNS) {
        if (messageString.contains(pattern)) {
            // Mask or block the log message by replacing it with a placeholder
            outputMessage.append("[SENSITIVE DATA MASKED]");
            return;
        }
    }

    // If no pattern matches, append the original log message`your text`
    outputMessage.append(messageString);
quarkus log4j2
1个回答
0
投票

您不会在日志消息中找到“so.am.aw.request”,因为它不是日志消息的一部分。日志消息只是日志event的一部分,它描述了发生的事情,例如“[id: 0x775d66e9] REGISTERED” 并由 

%m
模式转换器 打印。请参阅消息了解更多详情。

“so.am.aw.request”是记录器名称的缩写形式(“software.amazon.awssdk.request”)。每个记录器都可以单独配置(请参阅记录器配置),您所需要做的就是将其配置为比

DEBUG
更严格的级别。亚马逊有一个有关线路日志记录的指南,它会告诉您需要启用或禁用哪些记录器。

<Loggers>
  ...
  <!--
    ~ Loggers involved in wire logging,
    ~ do **NOT** enable `DEBUG` on production.
    --> 
  <Logger name="software.amazon.awssdk.request" level="WARN" />
  <Logger name="io.netty.handler.logging" level="WARN" />
  <Logger name="io.netty.handler.codec.http2.Http2FrameLogger" level="WARN" />
</Loggers>
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.