Log viewer for domain log files tries to parse encrypted files which results to display error

[GwenDragon]

Username: GwenDragon

TITLE

Log viewer for domain log files tries to parse encrypted files which results to display error

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.48, Debian 11.5, x64

PROBLEM DESCRIPTION

For domains use logrotate to compress and encrypt rotated logs with gpg. This generates rotated files like error_log.1.gpg … error_log.7.gpg as desired.

If user tries to view domain logs, the encrypted files are parse and this causes broken display with binary garbage in log viewer.

STEPS TO REPRODUCE

1. Add this to /opt/psa/etc/logrotate.conf

# ---- encrypt saved logs ------------------------------------
shred
compress
compresscmd /usr/bin/gpg
compressoptions --always-trust --encrypt --recipient [email protected]
compressext .gpg
# ---- encrypt saved logs ------------------------------------

2. Have log files in /var/www/vhosts/system/DOMAIN.TLD/logs/
3. Wait until daily cronjob started Plesks logrotate or start it with /opt/psa/logrotate/sbin/logrotate -f /opt/psa/etc/logrotate.conf
4. Open in Plesk Obsidian
5. In Settings select a Domain
6. Select Protocols to inspect log files
7. Log file lines are shown

ACTUAL RESULT

You will see at start of log broken lines with binary garbage (see image)

EXPECTED RESULT

Only log files (without the compressed ones) are parsed and log lines shown correct.

ANY ADDITIONAL INFORMATION

The log viewer should only display text format log files it can parse (could be excluded by file ending?).

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[GwenDragon]

This issue can not be confirmed by developers?

 

[Peter Debik]

Hi @GwenDragon, thank you for posting on the board.

Could you please explain why you believe that the log viewer is buggy in case of encrypted files? Are encrypted log files a standard in your area or in the industry you are working in?

If you feel that log encryption would be a great new feature, why not open a User Voice entry on that and have people vote for it:

Feature Suggestions: Top (1870 ideas) – Your Ideas for Plesk

Maybe it can become the next big thing everyone needs.

Personally, I have never before seen a server where logs were encrypted, but you may have a striking user case that we have not yet considered. So please feel free to let us know. We're always interested in user suggestions.

 

[GwenDragon]

The log viewer is buggy because it loads all files it finds in folder without checking if they contain real text data.

Encryption of web server logs after 1 day is needed for GDPR.
I do not need to suggest log encryption as a logrotate job does this at all at this time and i do not want to have this encryption done by Plesk Obsidian.

 

[Peter Debik]

Encryption of web server logs after 1 day is needed for GDPR.

Thank you for clarifying this.

Plesk has an easy solution for this which is proven to be fully compliant with GDPR. Maybe you would like to give this a try:

You can have Plesk anonimize log files by running these commands on the shell:

# plesk bin settings -s logrotate_anonymize_ips=true
# plesk sbin logrot_mng --system-logs --anonymize-ip=true
# for i in `plesk db -se "select domains.name from domains left join dom_param on domains.id=dom_param.dom_id left join log_rotation on dom_param.val=log_rotation.id where domains.htype='vrt_hst' and dom_param.param='logrotation_id' and log_rotation.turned_on='true'"`; do plesk bin domain --update $i -log-rotate true; done

You can also turn on anonimization through the GUI: Tools & Settings > Server Settings > Check "Anonymize IP addresses during log rotation and collecting of web statistics"

IP addresses are anonimized when a log is rotated. Slow growing logs may not rotate daily, but for that case, if you want daily anonimization, you can also check "Force daily log rotation for all domains".

 

[GwenDragon]

May be you misunderstood what i needed.
I do not want to anonymise IPs.
I restrict access all log data by encryption for web site owner only with their own GPG key.
That is why i do this.

 

[Peter Debik]

Thank you again for clarifying. Actually, the encryption you are doing is not GDPR compliant. The reason for that is that nobody, including the website owner, must be able to follow IP addresses if the installation shall be GDPR compliant. When you encrypt the subscribers' log files, the subscribers will continue to be able to identify the owners of requests that were driven against the web server, because they can simply decrypt their logs. That is exactly what GDPR prohibits. But anyway, it is your choice how to operate your systems and you are obviously giving this all a lot of thought and will know what is best for you better than others.

Regarding the log viewer: The log viewer assumes that in the logs directory there are only log files as they ought to be in that place. Encrypting these files is rarely seen, if at all, so I would not really consider it a bug that the log viewer displays what it finds in the log directory. That component is doing what it ought to do: It displays logs. That the content of the logs is encrypted is not really something that the viewer should sort out. Encrypted files or other file formats (images, javascript, php etc.) are simply not to be stored in a logs directory.

Maybe this workaround can work for you: When you run an encryption process on the log files, you might also simply let your script create an additional "logs" directory for the encrypted files, e.g. "/logs_encrypted" and "mv" the encrypted files to that location. This way the log viewer will stay clean of the cryptic characters while your users still have the full files and can decrypt them with their key. If you left the encrypted log files in the logs directory, they could not be viewed there anyway by the log viewer, so the simple solution is to move them to a different folder.

And again, plesk.uservoice.com is always a good place for upgrade suggestions.