Logstop

:fire: Keep personal data out of your logs

logger.info "Hi [email protected]!"
# => Hi [FILTERED]!

By default, scrubs:

  • email addresses
  • phone numbers
  • credit card numbers
  • Social Security numbers (SSNs)
  • passwords in URLs

Works with all types of logging - Ruby, Active Record, Active Job, and more

User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."email" = ?  [["email", "[FILTERED]"]]

Works even when sensitive data is URL-encoded with plus encoding

Build Status

Installation

Add this line to your application’s Gemfile:

gem "logstop"

And add it to your logger:

Logstop.guard(logger)

Rails

Create config/initializers/logstop.rb with:

Logstop.guard(Rails.logger)

Options

To scrub IP addresses (IPv4), use:

Logstop.guard(logger, ip: true)

To scrub MAC addresses, use:

Logstop.guard(logger, mac: true)

Add custom rules with:

scrubber = lambda do |msg|
  msg.gsub(/custom_regexp/, "[FILTERED]".freeze)
end

Logstop.guard(logger, scrubber: scrubber)

Disable default rules with:

Logstop.guard(logger,
  email: false,
  phone: false,
  credit_card: false,
  ssn: false,
  url_password: false
)

To scrub outside of logging, use:

Logstop.scrub(msg)

It supports the same options as guard.

Notes

This should be used in addition to config.filter_parameters, not as a replacement.

Learn more about securing sensitive data in Rails.

Also:

  • To scrub existing log files, check out scrubadub
  • To anonymize IP addresses, check out IP Anonymizer
  • To scan for unencrypted personal data in your database, check out pdscan

Resources

History

View the changelog

Contributing

Everyone is encouraged to help improve this project. Here are a few ways you can help:

To get started with development:

git clone https://github.com/ankane/logstop.git
cd logstop
bundle install
bundle exec rake test