Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use regexes to mask accesslog entries #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use regexes to mask accesslog entries #1

wants to merge 1 commit into from

Conversation

sriduth
Copy link

@sriduth sriduth commented Jun 4, 2019

  • Implemented regex access log masking for file access logs.

Description: For the file based access logger, apply a series of regex replaces. This will be used to sanitze logs in case where it could contain sensitive information.

api/envoy/config/accesslog/v2/file.proto has been changed to accept log line masks.

Risk Level: Medium

Testing: Unit tests pending, benchmarking / perf testing not done.

Docs Changes: None

Release Notes:

[Optional Fixes #Issue]
[Optional Deprecated:]

* Added API to specify regex based masking logic in accesslog.
ba7c12c 
* Implemented regex access log masking for file access logs.
@sriduth
Copy link
Author

sriduth commented Jun 4, 2019

Benchmark Results

Load is generated using wrk on a c5.xlarge. Target instances are t3.medium instances.

With 4 regexes

  8 threads and 100 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     3.15ms    1.56ms  86.92ms   84.42%
    Req/Sec     3.88k   383.22     4.75k    77.90%
  1853432 requests in 1.00m, 334.07MB read
Requests/sec:  30881.06
Transfer/sec:      5.57MB

With no regexes

Running 1m test @ https://172.16.100.197/route?sensitiveKey=1234
  8 threads and 100 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     1.75ms    1.19ms  83.94ms   89.21%
    Req/Sec     7.19k   596.32     8.21k    74.74%
  3434505 requests in 1.00m, 619.05MB read
Requests/sec:  57238.02
Transfer/sec:     10.32MB

With 1 regex

Running 1m test @ https://172.16.100.197/route?sensitiveKey=1234
  8 threads and 100 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     2.06ms    1.20ms  82.21ms   89.20%
    Req/Sec     5.98k   286.22     7.00k    77.99%
  2853410 requests in 1.00m, 514.31MB read
Requests/sec:  47548.78
Transfer/sec:      8.57MB

Envoy without this change

Running 1m test @ https://172.16.100.197/route?sensitiveKey=1234
  8 threads and 100 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency     3.55ms    3.23ms  32.59ms   84.62%
    Req/Sec     4.11k   584.53     7.16k    73.44%
  1964702 requests in 1.00m, 354.13MB read
Requests/sec:  32738.16
Transfer/sec:      5.90MB

@sriduth
Copy link
Author

sriduth commented Jun 4, 2019

The regexes used here were variations on sensitiveKey=([0-9]{0,15}).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sriduth