With the planned switch of traffic from eqiad to codfw we will start shipping these log messages over the internet. As they contain PII (the user queries and ip addresses, but not names) we should look into encrypting the traffic. It looks like modern versions of kafka support TLS encryption,
The library we use in php would have to be adjusted to support TLS, it currently uses a direct fsockopen call. We can likely abstract out the stream into normal and tls versions. php supports tls sockets via the stream api roughly as follows:
$context = stream_context_create(); $result = stream_context_set_option($context, 'ssl', 'local_cert', '/path/to/keys.pem'); $socket = stream_socket_client('tls://'.$host.':443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);