Question on logging best practices and ALLOWED_HOST
11 views
Skip to first unread message
Dan Davis
May 22, 2019, 1:25:08 PM5/22/19
to Django users
First Question - How valuable is the check on ALLOWED_HOST?
How many folks out there simply have settings:
ALLOWED_HOSTS = ['*']
Second Question - What is the best practice for enriching the log record?
On-premise, we've struggled with the interaction of the AdminEmailHandler and security scans:
'mail_admins': {
'level': 'ERROR',
'filters': ['require_debug_false', 'skip_nessus_scan_requests'],
'class': 'django.utils.log.AdminEmailHandler',
'include_html': True,
},
Now we want to go farther and divert logs originating from the security scanner to a different log.
That means that some variant of this code would run again and again:
class SkipNessusScanFilter(logging.Filter):"""Avoids a trace back for requests coming from a NESSUS scan. Depends on NESSUS_SCAN_IPS."""def filter(self, record):request = getattr(record, 'request', None)if request and hasattr(request, 'META') and request.META.get('REMOTE_ADDR') in NESSUS_SCAN_IPS:return Falsereturn True
I want to centralize the check and make it more performant. Is there a better place to enrich the log record than when the filter runs?
def is_nessus_scan(record):is_nessus_scan = getattr(record, 'is_nessus_scan', None)if is_nessus_scan is None:request = getattr(record, 'request', None)is_nessus_scan = (requestand hasattr(request, 'META')and request.META.get('REMOTE_ADDR') in NESSUS_SCAN_IPS)setattr(record, 'is_nessus_scan', None)return is_nessus_scanclass SkipNessusScanFilter(logging.Filter):"""Avoids a trace back for requests coming from a NESSUS scan. Depends on NESSUS_SCAN_IPS."""def filter(self, record):return is_nessus_scan(record)class RequireNessusScanFilter(logging.Filter):"""Diverts nessus logging to another file. Depends on NESSUS_SCAN_IPS."""def filter(self, record):return not is_nessus_scan(record)
Reply all
Reply to author
Forward
0 new messages