Error logging in Elixir with OTP 21+

Questions / Help
1

I’m trying to prevent leaking of application secrets and personally identifiable information (PIIs) into logs. One thing is obviously making sure that we don’t log that kind of data explicitly. But the other part is taming the built-in error reporters.

When my application was first deployed to the servers, there was a misconfiguration and it crashed badly. While that happened, the error reporter logged the state of a supervisor process and the last received message. The state contained API keys. If I write a simple GenServer that crashes, it’s pretty easy to reproduce the log entry with the last message. For some reason, I’m unable to make the error reporter log the process state.

I have a few questions around this:

  1. When is the state of the process logged?
  2. Is it possible to prevent logging of the last message and the state of the process?
  3. Is it possible to prevent logging of general errors (match error might leak sensitive data too)?

I’m also a bit confused about the documentation. Since I’m on OTP 21+, the docs state that:

SASL Reports
By SASL reports we mean supervisor reports, crash reports and progress reports.
Prior to Erlang/OTP 21.0, these reports were only logged when the SASL application was running, and they were printed trough SASL’s own event handlers sasl_report_tty_h and sasl_report_file_h. (…) Due to the specific event handlers, the output format slightly differed from other log events.
As of Erlang/OTP 21.0, the concept of SASL reports is removed, meaning that the default behaviour is as follows:

  • Supervisor reports, crash reports, and progress reports are no longer connected to the SASL application.
  • Supervisor reports and crash reports are issued as error level log events, and are logged through the default handler started by Kernel. (…)
  • The output format is the same for all log events.

On the other hand, the Elixir’s Logger docs state that I should set the :handle_otp_reports and :handle_sasl_reports options to true and start the :sasl application before the :logger to handle the process crash reports as usual Elixir logs.

  1. Is this still true when running on OTP 21+?
2 Likes
2

I don’t have the direct answers you’re looking for. However, I wanted to point out custom struct inspections, which is a relatively new feature. It allows you to specify which fields show when a struct is inspected. This applies to logs, because when state is printed to logs, it is inspected first.

3 Likes
3

Thanks! At first I thought that it’s really not the answer I’m looking for. Well, after some thought, it turns out that it actually is! It’s enough to wrap sensitive data in a struct and implement Inspect for it.

2 Likes
4

Years later I find myself wondering this same question :joy:

We’re not literally starting the SASL app, so do we need the logger handle_sasl option enabled? It seems like no? Curious if anyone ever found a clear answer!