Logstop

:fire: Keep personally identifiable information (PII) out of your logs

logger.info "Hi test@example.org!"
# => Hi [FILTERED]!

By default, scrubs:

• email addresses
• phone numbers
• credit card numbers
• Social Security numbers (SSNs)
• passwords in URLs

Works with all types of logging - Ruby, Active Record, Active Job, and more

User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."email" = ?  [["email", "[FILTERED]"]]

Works even when sensitive data is URL-encoded with plus encoding

Installation

Add this line to your application’s Gemfile:

gem 'logstop'

And add it to your logger:

Logstop.guard(logger)

Rails

Create config/initializers/logstop.rb with:

Logstop.guard(Rails.logger)

Options

To scrub IP addresses (IPv4), use:

Logstop.guard(logger, ip: true)

Add custom rules with:

scrubber = lambda do |msg|
  msg.gsub(/custom_regexp/, "[FILTERED]".freeze)
end

Logstop.guard(logger, scrubber: scrubber)

Disable default rules with:

Logstop.guard(logger,
  email: false,
  phone: false,
  credit_card: false,
  ssn: false,
  url_password: false
)

To scrub outside of logging, use:

Logstop.scrub(msg)

It supports the same options as guard.

Notes

This should be used in addition to config.filter_parameters, not as a replacement.

Learn more about securing sensitive data in Rails.

Also:

• To scrub existing log files, check out scrubadub
• To anonymize IP addresses, check out IP Anonymizer
• To scan for unencrypted personal data in your database, check out pdscan

Resources

• List of PII, as defined by NIST

History

View the changelog

Contributing

Everyone is encouraged to help improve this project. Here are a few ways you can help:

• Report bugs
• Fix bugs and submit pull requests
• Write, clarify, or fix documentation
• Suggest or add new features

To get started with development:

git clone https://github.com/ankane/logstop.git
cd logstop
bundle install
bundle exec rake test