Protect or remove __error_log__

I'll leave this one in m42.

Thinking it over, since _error_log__ can lie (due to multiple WSGI apps), I wonder if we need to rethink it.

A couple of things. This doesn't work multiprocess. We already have something that works a little better and is protected here:

https://karl.soros.org/error_monitor.html

We also have the syslog collector thing which also catches errors, although due to limitations in message length in the syslog protocol we can't currently capture an entire stack trace:

https://karl.soros.org/syslog.html

Some suggestions:

1) Get rid of __error_log__. It is redundant and it lies.

2) Beef up the error monitoring piece in the admin UI to make stack traces easier to read.

3) Beef up syslog stuff to include recording and then filtering by log level (ie, INFO, WARN, ERROR). This will make it easier to pull out errors from the longer stream of status messages.

4) Look into reporting exceptions with the syslog piece using separate messages for each line so that entire stack traces can be captures. Perhaps use an index of some sort so that the UI can concatenate separate messages into single multiline messages for display.

On Jun 17, 2010, at 4:55 PM, Chris Rossi wrote:

> A couple of things. This doesn't work multiprocess. We already have
> something that works a little better and is protected here:
>
> https://karl.soros.org/error_monitor.html
>
> We also have the syslog collector thing which also catches errors,
> although due to limitations in message length in the syslog protocol we
> can't currently capture an entire stack trace:
>
> https://karl.soros.org/syslog.html
>
> Some suggestions:
>
> 1) Get rid of __error_log__. It is redundant and it lies.

+1

> 2) Beef up the error monitoring piece in the admin UI to make stack
> traces easier to read.
>
> 3) Beef up syslog stuff to include recording and then filtering by log
> level (ie, INFO, WARN, ERROR). This will make it easier to pull out
> errors from the longer stream of status messages.
>
> 4) Look into reporting exceptions with the syslog piece using separate
> messages for each line so that entire stack traces can be captures.
> Perhaps use an index of some sort so that the UI can concatenate
> separate messages into single multiline messages for display.

5) Wait for RelStorage + history-free and do multi-process logging in the ZODB.

--Paul

Chris, can you remove the [filter:errorlog] from the various karl.ini files?

I do believe JimB could do this one.

ok, will do as we migrate users to karlhost01

You probably need to update a template too to remove the comment.

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
    <title>Not Found</title>
    <link href="http://staging.karl.sixfeetup.com/static/images/favicon.ico" rel="shortcut icon" type="image/vnd.microsoft.icon" />
    <link href="http://staging.karl.sixfeetup.com/static/images/favicon.ico" rel="icon" type="image/vnd.microsoft.icon" />
    <link href="http://staging.karl.sixfeetup.com/static/themedstyles.css" rel="stylesheet" type="text/css" />
    <link href="http://staging.karl.sixfeetup.com/static/custom.css" rel="stylesheet" type="text/css" />

  </head>
  <body id="login-wrapper">
    <img src="http://staging.karl.sixfeetup.com/static/images/login_gradient.gif" id="login-gradient" />
    <div id="outer">
      <div id="inner">
        <h1 class="kscreentitle" style="margin-top: 50px">
          <span></span>
        </h1>
 <h2 style="margin-top: 20px; text-align: center">Not Found</h2>
        <p align="center">
KARL was unable to find the content at this URL.</p>
 <p align="center">
   Return to the <a href="http://staging.karl.sixfeetup.com/">home page</a>.
 </p>

            <!--
       You may refer to the error log here:
       http://staging.karl.sixfeetup.com/__error_log__
     -->

      </div>

    </div>

  </body>
</html>

In addition, when you go to /admin.html

"Logs / Analytics" -> "Error Log"

This now produces "General Error".

:)

Go ahead and leave your changes in there, and re-assign to Rossi with a note to remove from the ADMIN screen.

--Paul

On Jul 8, 2010, at 1:35 PM, Jim B. Glenn wrote:

> In addition, when you go to /admin.html
>
> "Logs / Analytics" -> "Error Log"
>
> This now produces "General Error".
>
> :)
>
> --
> Protect or remove __error_log__
> https://bugs.launchpad.net/bugs/581949
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in KARL3: Confirmed
>
> Bug description:
> As per OSI security audit, we shouldn't allow the error log to be visible to the anonymous public.
>
>
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/karl3/+bug/581949/+subscribe

Chris,
assigned to you per paul.
Still comment in html page on error + still as option in ADMIN screen.

Jim@SFU is removing option from config file.

Chris, this was marked as completed on Wednesday but didn't go out in Thursday's updates. Stated differently, __error_log__ is still there. Moving to M45.

Jim, can you do this one this week?

removed from customer's staging and production's karl.ini.
still haven't removed from all branch configurations, demo configurations, or etc-develops.

fixed