Reputation: 41428
Custom Processing on Python logging messages in a generic way
I am trying to figure out the best approach to apply some custom processing on Python logging messages with minimal impact to our codebase.
The problem is this: we have many different projects logging a lot of things, and among these can be found some AWS keys. As a security requirement, we need to strip out all AWS keys from the logs, and there are multiple ways to go about this:
- The naive approach would be to go in each and every project, and modify each logging call to manually strip out keys. This is the least preferred approach as it would be the most manual.
- Implement a different module that provides the same function as the
loggingmodule (likeinfo,error, ...) and each function definition would first apply a regex to filter out AWS keys, and then call the actualloggingmethod behind the scenes. Then each project can be modified to something likeimport custom_logging_module as loggingand none of the logging calls need to be modified. The drawback of this approach though is that it looks like every logging call comes from this module in the log, so you can't track where your messages originate from. - Not sure in what form yet, but it sounds like it would be possible to implement a custom
LoggerorLogRecordand register it when initializing the logging. This wouldn't have the problems of the previous approach.
I have done some research on approach #3 but couldn't really find a way to do this. Does anyone have experience applying some custom processing on logging messages that would apply to this use case?
Upvotes: 3
Views: 888
Answers (1)
Reputation: 99365
You could use a custom LogRecord class to achieve this, as long as you could identify keys in text unambiguously. For example:
import logging
import re
KEY = 'PK_SOME_PUBLIC_KEY'
SECRET_KEY = 'SK_SOME_PRIVATE_KEY'
class StrippingLogRecord(logging.LogRecord):
pattern = re.compile(r'\b[PS]K_\w+\b', re.I)
def getMessage(self):
message = super(StrippingLogRecord, self).getMessage()
message = self.pattern.sub('-- key redacted --', message)
return message
if hasattr(logging, 'setLogRecordFactory'):
# 3.x has this
logging.setLogRecordFactory(StrippingLogRecord)
else:
# 2.x needs monkey-patching
logging.LogRecord = StrippingLogRecord
logging.basicConfig(level=logging.DEBUG)
logging.debug('Message with a %s', KEY)
logging.debug('Message with a %s', SECRET_KEY)
In my example I've assumed you could use a simple regex to spot keys, but a more sophisticated alternative method could be used if that's not workable.
Note that the above code should be run before any of the code which logs keys.
Upvotes: 5
Related Questions
- Using python Logging with AWS Lambda
- python logging in aws lambda
- Custom log file in Lambda with Python
- Python modifying logging message info?
- Partial logging in AWS Lambda using Python
- Python "logging" module get access to log message for parsing
- Write to Logs in Python with Inline Message
- Python: How to create and use a custom logger in python use logging module?
- Using JSON Log Format from a Python lambda
- Python customize logging