Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-37159

Log redaction should not be applied to the internal commands

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: 3.2.17, 3.6.10
    • Fix Version/s: Backlog
    • Component/s: Diagnostics, Logging
    • Labels:

      Description

      At present, log redaction, if enabled will obfuscate the context of internal commands such as serverStatus, repSetRequestVotes and others:

      "example"

      Show all

      2018-09-06T00:24:40.439+0000 I COMMAND  [conn251824] command admin.$cmd command: serverStatus { serverStatus: "###", advisoryHostFQDNs: "###", locks: "###", recordStats: "###", oplog: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:30747 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 257800 } } } protocol:op_query 258ms
      2018-09-06T00:24:41.916+0000 I COMMAND  [conn251838] command local.oplog.rs command: serverStatus { serverStatus: "###", oplog: "###", tcmalloc: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:31169 locks:{ Global: { acquireCount: { r: 4 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 112077 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 145ms
       
      2018-09-06T00:27:12.325+0000 I COMMAND  [conn258969] command local.replset.election command: replSetRequestVotes { replSetRequestVotes: "###", setName: "###", dryRun: "###", term: "###", candidateIndex: "###", configVersion: "###", lastCommittedOp: { ts: "###", t: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:63 locks:{ Global: { acquireCount: { r: 3, w: 1 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 15506 } }, Database: { acquireCount: { r: 1, W: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_msg 2155ms
       
      2018-09-06T00:26:04.124+0000 I COMMAND  [conn13513] command local.oplog.rs command: collStats { collstats: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:7095 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 226736 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 227ms
       
      2018-09-06T00:07:16.791+0000 I COMMAND  [conn15543] command admin.system.users command: saslStart { saslStart: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:155 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1360894 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1364ms
       
      2018-09-06T00:07:18.315+0000 I COMMAND  [conn15543] command admin.system.users command: saslContinue { saslContinue: "###", conversationId: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:78 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1370885 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1371ms
       
      2018-09-06T00:08:44.730+0000 I COMMAND  [conn15543] command admin.$cmd command: listDatabases { listDatabases: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:281 locks:{ Global: { acquireCount: { r: 10 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 2710522 } }, Database: { acquireCount: { r: 4 } } } protocol:op_query 2711ms
       
      2018-09-06T00:22:41.772+0000 I COMMAND  [conn14] command admin.$cmd command: replSetHeartbeat { replSetHeartbeat: "###", configVersion: "###", from: "###", fromId: "###", term: "###", $replData: "###", $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:406 locks:{} protocol:op_msg 588ms
       
      2018-09-06T00:21:09.058+0000 I COMMAND  [conn460078] command admin.$cmd command: replSetUpdatePosition { replSetUpdatePosition: "###", optimes: [ { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" } ], $replData: { term: "###", lastOpCommitted: { ts: "###", t: "###" }, lastOpVisible: { ts: "###", t: "###" }, configVersion: "###", replicaSetId: "###", primaryIndex: "###", syncSourceIndex: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:228 locks:{} protocol:op_msg 2550ms
      

      These log messages could not possibly contain PII data and therefore should not be redacted. Needless to say, that obfuscating these logs messages makes diagnostics harder.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              backlog-server-security Backlog - Security Team
              Reporter:
              dmitry.ryabtsev Dmitry Ryabtsev
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Dates

                Created:
                Updated: