With security already a hot topic in the data space, the Couchbase Server 5.5 release introduces a new feature – “Log Redaction”.

Logs are an important part of every platform.  Logs are used for multiple purposes ranging from security, to monitoring, and diagnostics.

Many applications use the Couchbase Data Platform to store Personally Identifiable Information (PII). This sensitive data need special attention and careful handling.  Specific policies may also be required in order to comply with data-related regulations like HIPAA, PCI, GDPR, etc.  In addition, many organizations are protective of information about their internal assets such as hostnames.

What is log redaction?

In the publishing world, redaction refers to removing information from documents, and is a necessary step to ensure confidentiality of information before final publication.

Applying this similar concept to Couchbase log files, sensitive user data in log files can be scrubbed and removed so that if you do share the log files with anyone for troubleshooting or other purposes, they cannot find user data in these files. In Couchbase Server 5.5, enabling log redaction ensures that sensitive data never leaves the host without getting redacted. This provides stronger security guarantees, and this added security measure can help you meet regulatory and compliance standards for your data platform.

Enabling Log Redaction

In Couchbase Server 5.5, log redaction settings can be changed via the UI (as shown in figure below) or the CLI. By default, log redaction level is ‘none’, which means logs are not redacted. ‘Partial’ redaction level means that only sensitive user data is redacted, leaving metadata and system data untouched.  In the future, more levels will be added to allow redaction of more types of data.

NOTE: When using partial redaction, users must be careful in naming Couchbase resource objects to not include sensitive data in object names. For example – Network elements like hostnames must also be carefully named, as the security best practice for Couchbase indicates.

The settings page has a global setting for log collection as shown below –

Log redaction can also be modified just prior to starting log collection in the Collect Information page –

If auditing is enabled, any changes made to the global log redaction settings will be audited.

Note: To be able to modify global log redaction settings, you must be a member of the full admin role. Log redaction is available only in the Enterprise Edition of Couchbase Server.

How does log redaction work?

The Couchbase log redaction feature post processes system logs to redact information. When the services write log files, and potentially sensitive data is tagged. When log collection runs, sensitive data is identified using the tags, and is scrambled using a one-way hash function.

When collecting logs via the UI or CLI, Couchbase scrambles sensitive data using a random salt. The ‘cbcollect_info‘ tool can be used directly to specify a custom salt which will result in deterministic hashing. This may be useful for correlating values that might have been redacted away.

Log redaction and system troubleshooting

Log redaction is important for complying with security requirements, but it can also make troubleshooting  more difficult due to the lack of human-readable data in the log. For this reason, Couchbase still leaves the non-redacted version of the logs on your local disk, and zips up the redacted version to be shipped across the network.

OK, GO!

Head over to the Couchbase Downloads page and try out all the other new features in the Couchbase Server 5.5 release. Review the documentation for Couchbase log redaction cluster settings here. Let us know what you think, we want to hear from you.

Author

Posted by Perry Krug

Perry Krug is an Architect in the Office of the CTO focused on customer solutions. He has been with Couchbase for over 8 years and has been working with high-performance caching and database systems for over 12 years.

Leave a reply