Feature Proposal: Allow switching off IP logging in logfiles

Motivation

Due to privacy concerns it is sometimes required to disable logging of IP addresses without turning of logging altogether.

In some contries this is even required by existing privacy laws.
Here the admin can either disable logging altogether or needs to inform wiki guests about the logging before they call any wiki page (which would be quite a hassle).

Description and Documentation

See Motivation

Examples

Impact

%WHATDOESITAFFECT%
edit

Implementation

The starting point is adding a new config option:
$Foswiki::cfg{Log}{IP} = 1;    // Log also IP
$Foswiki::cfg{Log}{IP} = 0;    // Do not log IP

Then I patched Foswiki.pm:
--- Foswiki.pm.org   2010-11-10 09:29:12.000000000 +0900
+++ Foswiki.pm   2010-12-08 16:14:40.000000000 +0900
@@ -2165,8 +2165,13 @@
 
     my $remoteAddr = $this->{request}->remoteAddress() || '';
 
-    $this->logger->log( 'info', $user, $action, $webTopic, $extra,
-        $remoteAddr );
+    if ( $Foswiki::cfg{Log}{IP} ) {
+      $this->logger->log( 'info', $user, $action, $webTopic, $extra,
+         $remoteAddr );
+    } else {
+      $this->logger->log( 'info', $user, $action, $webTopic, $extra );
+    }
+
 }
 
 =begin TML

In case I did not overlooked another 100 places which are also affected I can help/do final implementation. In case somebody can give me some hand what to do and where.

-- Contributors: CharlesAdicke - 09 Dec 2010

Discussion

Next to do: use RequestAccessToGit wink


Franz

I agree - Charles - are you willing to implement this for the next release? I'll put you as the Commited Developer - you're welcome to say no - mostly I think you're only missing docco and some unit tests to make sure that someone doesn't accidentally break it smile

we can help you get started with any of these you like -

-- SvenDowideit - 10 Dec 2010

Good simple little enhancement. OK with me too.

Would love to see Charles on board as developer smile

-- KennethLavrsen - 10 Dec 2010

I've restarted the clock on this proposal. WillNorris suggested that we have a handler. A handler would permit implementation of an IP addresses anonymizer, rather than simply omitting them (and other possibilities, too, of course). Anything more than simply omitting the addresses also needs to take into account IPv6. CPAN:IP::Anonymous looks interesting, but it is complex, adds yet another dependency, and doesn't support IPv6.

For the above submitted code, I'd change it a bit to use {Log}{SuppressIP} in the configuration to handle the case where the setting is undefined in the configuration. We should default to logging IP addresses.

-- GeorgeClark - 18 Apr 2011

Handler? duuude, you don't even need a new cfg - just write a filtering Logger !

-- SvenDowideit - 18 Apr 2011

Does anyone know? Does this filtering of IP's only apply to Guest users? ( Statement was needs to inform wiki guests about the logging ) Or should that be an option, assuming that the registration page might inform users when they register that IP's are logged?

Also, what about failed password attempts. Is it acceptable to always log IP's from authentication failures. That way tools like fail2ban can be used to block IP's that are attempting to guess passwords.

If implemented as a filtering logger, this could be done as either an extension or as a core feature.

  • Foswiki::Logger::Filtering
    • !FilterGuestIPs Filter only IP's when a user is not logged in
    • !FilterLoggedInIPs Filter IP's for logged in users
    • !FilterAuthenticationIPs Filter IP's for authentication records. (Failures and Success)
At some future time we could add an option for obfuscation so that all events for a single IP can still be identified without revealing the actual IP.

Also IPv6 is a future consideration.

-- GeorgeClark - 10 May 2011

Implemented this as a subclass to the PlainFile logger Foswiki::Logger::PlainFile::Obfuscating. For now it has one configuration option. {Log}{Obfuscating}{MaskIP}. Default false. If set to true, the IP address is masked to x.x.x.x otherwise the IP address is transformed as follows:
  • Take the MD5 hash of the character IP address field
  • Convert the first 4 pairs of hex digits back to dotted decimal form.
  • Ex. 127.0.0.1 => f528764d624db129b32c21fbca0cb8d6 f5.28.76.4d = 245.40.118.77
Note that authentication errors are not obfuscated.
Topic revision: r12 - 05 Jul 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy