A backend for the Elixir Logger that logs JSON and filters your secrets.

Usage

To use Ink for your logging, just configure it as a backend:

config :logger, backends: [Ink]

# optional additional configuration
config :logger, Ink,
  name: "your app",
  level: :info

Options

In total, the following options are supported by Ink:

• :name the name of your app that will be added to all logs
• :io_device the IO device the logs are written to (default: :stdio)
• :level the minimum log level for outputting messages (default: :debug)
• :status_mapping the mapping to use for log statuses (default: :bunyan)
• :filtered_strings secret strings that should not be printed in logs (default: [])
• :filtered_uri_credentials URIs that contain credentials for filtering (default: [])
• :metadata the metadata keys that should be included in the logs (default: all)
• :exclude_hostname exclude local hostname from the log (default: false)
• :log_encoding_error whether to log errors that happen during JSON encoding (default: true)

Filtering secrets

Ink can be configured to filter secrets out of your logs:

config :logger, Ink,
  filtered_strings: ["password"]

Sometimes, you configure a connection using a URL. For example, a RabbitMQ connection could be configured with the URL "amqp://user:password@localhost:5672". Filtering the whole URL from your logs doesn't do you any good. Therefore, Ink has a separate option to pass secret URLs:

config :logger, Ink,
  filtered_uri_credentials: ["amqp://user:password@localhost:5672"]

This code will parse the URL and only filter "password" from your logs.

Preventing reports on the terminal

When processes crash - which is a normal thing to happen in Elixir - OTP sends reports to the handlers of the :error_logger. In some environments, there is a default handler that prints these to the terminal. Since it includes the state of the crashed process, this can include secrets from your application. Ink is unable to filter these reports, because they are not printed using the Logger.

You can disable printing of these reports with the following line in your config:

config :sasl, sasl_error_logger: false

Metadata

If you don't configure any specific metadata, Ink will include all metadata as separate fields in the logged JSON. If you only want to include specific metadata in your logs, you need to configure the included fields.

config :logger, Ink,
  metadata: [:pid, :my_field]

Note: Since the term PID is also prevalent in the UNIX world, services like LogStash expect an integer if they encounter a field named pid. Therefore, Ink will log the PID as erlang_pid.