Page MenuHomePhabricator
Create Task
Maniphest T126989

MediaWiki logging & encryption
Open, HighPublic
Actions

Description

Currently, MediaWiki logs to fluorine (via udp2log), Logstash and Kafka. None of these are currently encrypted in any way.

As a) we would like to log to loghosts across the datacenter boundary and b) logging sometimes includes sensitive information including PII, we should explore ways to encrypt these logging flows.

Details

SubjectRepoBranchLines +/-
rsyslog: change udp_localhost_compat to define, add mwlog_compatoperations/puppetproduction+76 -25
[WIP] mirror udp2log data into the logging pipelineoperations/mediawiki-configmaster+28 -0
monolog: add MwlogHandlermediawiki/coremaster+103 -0
profile: kafkatee instance for udp2log compatoperations/puppetproduction+163 -0
logrotate: add old_dir parameteroperations/puppetproduction+6 -2
[WIP] add kafkatee to mwlogoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

faidon created this task.Feb 15 2016, 4:44 PM
faidon raised the priority of this task from to High.
faidon updated the task description. (Show Details)
faidon added projects: SRE, MediaWiki-Logevents.
faidon edited projects, added MediaWiki-Debug-Logger, Wikimedia-Logstash; removed MediaWiki-Logevents.
faidon set Security to None.
faidon added subscribers: Volker_E, Legoktm, JanZerebecki and 8 others.
bd808 added a comment.Feb 15 2016, 4:57 PM

Logging from MediaWiki to Logstash is done via syslog formatted UDP datagrams. Logging from MediaWiki to Fluorine is a UDP datagram flow using the custom udp2log packet encoding. We also use various UDP logging protocols (primarily GELF) to ship debug log events from nodejs and Java applications to Logstash. Adding DTLS support to both client and server for any of these will require non-trivial changes.

It may be easier to introduce a local proxy application that MediaWiki (and other services) can log to using cheap UDP communications and let that service take the brunt of encrypting communications with other endpoints. The lumberjack protocol is one TLS secured method of communicating with Logstash. Rsyslog also has TLS support which could in theory be used to move udp2log datagrams from server to server.

faidon added a comment.May 11 2016, 1:33 PM

Another idea (Ori's) is to use Kafka for log shipping. Kafka 0.9 (deployed at Wikimedia as we speak) has encryption/authentication/authorization features, we already use it for all of our access log shipping and I believe the Discovery team is already using it from MediaWiki to push logs.

bd808 added a subscriber: EBernhardson.May 11 2016, 3:40 PM
In T126989#2285067, @faidon wrote:

Another idea (Ori's) is to use Kafka for log shipping. Kafka 0.9 (deployed at Wikimedia as we speak) has encryption/authentication/authorization features, we already use it for all of our access log shipping and I believe the Discovery team is already using it from MediaWiki to push logs.

CirrusSearch and the Action API both ship high volume log events to the Hadoop cluster using kafka and strongly typed binary Avro encoded messages. Logstash also consumes a different Kafka topic to publish EventLogging errors in kibana.

@EBernhardson rigged up most of the Monolog->Kafka pipeline.

fgiunchedi added subscribers: elukey, Ottomata, fgiunchedi.Dec 1 2016, 7:53 PM

I don't think we have encryption for kafka yet ? I'd love to be wrong though cc @Ottomata @elukey
Once we have kafka encryption we could use that for shipping mw logs too to logstash

Ottomata added a comment.Dec 1 2016, 7:54 PM

Timeline for this just discussed and noted in T152015

Ottomata added a comment.Dec 1 2016, 7:55 PM

There is at least one logstash consumer that uses Kafka: https://logstash.wikimedia.org/app/kibana#/dashboard/elasticsearch/eventlogging-errors

All the logs in this dashboard come from a Kafka topic.

Ottomata added a comment.Dec 1 2016, 7:56 PM

Uh, apparently that dashboard doesn't work anymore...(been a long time since I looked at it). Sorry! But it has been done before! :)

fgiunchedi mentioned this in T123728: replace fluorine with mwlog servers (was: Upgrade fluorine to trusty/jessie).Mar 9 2017, 5:10 PM
faidon added a project: observability.Jul 10 2017, 1:01 PM
Imarlier subscribed.Mar 13 2018, 3:56 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:31 PM
fgiunchedi added a comment.Feb 7 2019, 1:35 PM

Status update: mw logs that were going to logstash in plaintext now are being sent via localhost -> rsyslog -> kafka -> logstash and the network paths are encrypted.

udp2log for mediawiki is still present for debug / high volume logs, however it'll be deprecated in T205856: Retire udp2log: onboard its producers and consumers to the logging pipeline, with end state being that all mw logs are encrypted during transport on the network.

CDanis awarded a token.Feb 7 2019, 1:41 PM
CDanis rescinded a token.
CDanis awarded a token.
fgiunchedi added a comment.Feb 15 2019, 4:17 PM
In T126989#4934746, @fgiunchedi wrote:

Status update: mw logs that were going to logstash in plaintext now are being sent via localhost -> rsyslog -> kafka -> logstash and the network paths are encrypted.

udp2log for mediawiki is still present for debug / high volume logs, however it'll be deprecated in T205856: Retire udp2log: onboard its producers and consumers to the logging pipeline, with end state being that all mw logs are encrypted during transport on the network.

See also https://phabricator.wikimedia.org/T205856#4957430 for the plan (input/feedback welcome!)

fgiunchedi added a parent task: T205856: Retire udp2log: onboard its producers and consumers to the logging pipeline.Mar 4 2019, 12:49 PM
gerritbot subscribed.Mar 4 2019, 3:51 PM

Change 494254 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/mediawiki-config@master] WIP: mirror udp2log data into the logging pipeline

https://gerrit.wikimedia.org/r/494254

gerritbot added a project: Patch-For-Review.Mar 4 2019, 3:51 PM
gerritbot added a comment.Mar 5 2019, 11:39 AM

Change 492390 had a related patch set uploaded (by Filippo Giunchedi; owner: Herron):
[operations/puppet@production] rsyslog: change udp_localhost_compat to define, add mwlog_compat

https://gerrit.wikimedia.org/r/492390

gerritbot added a comment.Mar 21 2019, 2:44 PM

Change 498106 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[mediawiki/core@master] [WIP] monolog: add MwlogHandler

https://gerrit.wikimedia.org/r/498106

gerritbot added a comment.Mar 22 2019, 2:23 PM

Change 498386 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] [WIP] kafkatee instance for udp2log compat

https://gerrit.wikimedia.org/r/498386

gerritbot added a comment.Mar 22 2019, 2:23 PM

Change 498387 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] [WIP] add kafkatee to mwlog

https://gerrit.wikimedia.org/r/498387

gerritbot added a comment.Mar 22 2019, 3:01 PM

Change 498387 abandoned by Filippo Giunchedi:
[WIP] add kafkatee to mwlog

https://gerrit.wikimedia.org/r/498387

gerritbot added a comment.Mar 22 2019, 3:15 PM

Change 494254 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/mediawiki-config@master] [WIP] mirror udp2log data into the logging pipeline

https://gerrit.wikimedia.org/r/494254

gerritbot added a comment.Mar 28 2019, 9:32 AM

Change 499734 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] logrotate: add old_dir parameter

https://gerrit.wikimedia.org/r/499734

gerritbot added a comment.Mar 28 2019, 11:00 AM

Change 499734 merged by Filippo Giunchedi:
[operations/puppet@production] logrotate: add old_dir parameter

https://gerrit.wikimedia.org/r/499734

gerritbot added a comment.Mar 28 2019, 11:22 AM

Change 498386 merged by Filippo Giunchedi:
[operations/puppet@production] profile: kafkatee instance for udp2log compat

https://gerrit.wikimedia.org/r/498386

gerritbot added a comment.Apr 2 2019, 7:30 AM

Change 498106 merged by Filippo Giunchedi:
[mediawiki/core@master] monolog: add MwlogHandler

https://gerrit.wikimedia.org/r/498106

ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.24; 2019-04-02).Apr 2 2019, 8:01 AM
fgiunchedi added a comment.Jul 2 2019, 1:08 PM

I believe with T183303: Decomission old analytics kafka cluster now resolved all mw logs should be encrypted except for udp2log!

Ottomata added a comment.Jul 2 2019, 1:43 PM

Hm, I don't think T183303 affected any encryption status of logs. The Avro logs we migrated to event gate just do an HTTP post to EventGate, and EventGate produces to Kafka unencrypted.

fgiunchedi added a comment.Jul 2 2019, 1:58 PM
In T126989#5300054, @Ottomata wrote:

Hm, I don't think T183303 affected any encryption status of logs. The Avro logs we migrated to event gate just do an HTTP post to EventGate, and EventGate produces to Kafka unencrypted.

Ah, thanks for the clarification, totally I missed the fact that it'd be HTTP + Kafka in plaintext

Krinkle subscribed.EditedApr 20 2020, 5:34 PM

Comment moved to T205856#6072710.

Krinkle mentioned this in T205856: Retire udp2log: onboard its producers and consumers to the logging pipeline.Apr 20 2020, 5:34 PM
fgiunchedi moved this task from Inbox to Backlog on the observability board.Jul 6 2020, 2:14 PM
lmata edited projects, added SRE Observability; removed observability.Jul 12 2021, 2:22 AM
Maintenance_bot added a project: observability.Jul 12 2021, 2:47 AM
lmata moved this task from Inbox to Backlog on the SRE Observability board.Jul 15 2021, 4:09 AM
lmata edited projects, added Observability-Logging; removed SRE Observability.Aug 9 2021, 1:21 AM
Maintenance_bot edited projects, added SRE Observability; removed Observability-Logging.Aug 9 2021, 1:45 AM
lmata edited projects, added Observability-Logging; removed SRE Observability.Aug 9 2021, 3:19 AM
Maintenance_bot edited projects, added SRE Observability; removed Observability-Logging.Aug 9 2021, 3:47 AM
lmata edited projects, added Observability-Logging; removed SRE Observability.Jan 17 2022, 11:11 PM
gerritbot added a comment.Sep 7 2023, 8:24 AM

Change 494254 abandoned by Filippo Giunchedi:

[operations/mediawiki-config@master] [WIP] mirror udp2log data into the logging pipeline

Reason:

No plans to work on this any time soon

https://gerrit.wikimedia.org/r/494254

gerritbot added a comment.Tue, Apr 2, 2:05 PM

Change #492390 abandoned by Herron:

[operations/puppet@production] rsyslog: change udp_localhost_compat to define, add mwlog_compat

Reason:

spring cleaning -- stale patch

https://gerrit.wikimedia.org/r/492390

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL