Hiding sensitive request data when using convertReqRes #57
Comments
github-actions
bot
added
the
agent-nodejs
…gify
The current winston usage is a single ecsFormat formatter that handles
both (a) putting together the ECS fields and then (b) serializing that
to JSON (along with ecs-logging's preference for some serialized field
order).
const log = winston.createLogger({
format: ecsFormat(<options>),
Splitting these two steps into separate winston formatters allows for
some composability. For example, redacting sensitive info, as requested
in #57.
const { ecsFields, ecsStringify } = require('@elastic/ecs-winston-format')
const log = winston.createLogger({
format: winston.format.combine(
ecsFields(<options>),
// Add a custom formatter to redact fields here.
ecsStringify()
),
Fixes: #57
|
@lancegliser Hi, thanks for the ticket. Sorry for the delay. I started a draft PR with a possible solution for this. Basically I split the ecsFormat functionality into two: (a) gather the ECS fields in one formatter, then (b) do the JSON stringification in another one. That allows one to use Here is an example usage: https://github.com/elastic/ecs-logging-nodejs/blob/trentm/winston-redact/loggers/winston/examples/redact-fields.js#L83-L91 Would you be willing to give this a try? I can roll this into a release soon. |
|
I left some comments about this on the PR #65 on Apr 8. My mistake. Should I keep comments here, or on the PR? |
|
Good morning @trentm. We closed out the serialization issue last week. Tried installing the additions today, but it appears the branch that separates is still outstanding. Needing anything from me here? |
|
Hello @lancegliser. I am good. I am working my way through a number of issues and plan to get to this one soon. |
… ecsStringify (take 2) (#161) This adds `ecsFields` and `ecsStringify` formats. `ecsFormat` is now just a composition of the two. Named import is now preferred, but the old default export remains for now for backwards compat. The single downside here is that the order of serialized fields no longer follows the spec (https://github.com/elastic/ecs-logging/blob/main/spec/spec.json) suggestion of having `@timestamp` then `log.level` then `message` then the rest ordering. This was a trade-off with avoiding creating an additional object for each log record. Fixes: #57 Obsoletes: #65
I'm currently using
{ convertReqRes: true }to fill out the ECS fields. Lovely addition, thanks for it!But, I do have one problem. I've got some headers that shouldn't slip through to my Kibana users, such as
authorization: bearer {token}.I've got my own formatter for Winston I'm using after this one, and I can see the data you've produced at info
Symbol(message), but not message. I can't actually get intoSymbol(message), as it's private by design. How should I get that data obscured or removed?The text was updated successfully, but these errors were encountered: