Question

2
Replies
1259
Views
Close popover
Maarten Veger (MaartenV9058)
Rabobank
Lead BPM Architect & Pega CLSA
Rabobank
NL
MaartenV9058 Member since 2014 6 posts
Rabobank
Posted: February 16, 2018
Last activity: March 9, 2018
Closed

How to make sure download of the log-files with direct URL requires authentication?

If you go to the Log landing page and open the Log Files, you can actually see a direct URL to log files. For example, the PegaRULES.log file can be downloaded using the following direct URL:

http://hostname/prweb/DiagnosticData?logType=PEGA&format=text

If you just type in this URL, it's also possible to download the log file without authentication (on a production system). This is at least also possible in Pega version 7.3.0.

According to this article https://pdn.pega.com/support-articles/pega-authentication-requirement-log-download , this seems to be an enhancement but we had a security finding on this.

Is there a way to configure this to make sure this authentication is used to download the log files? If not, any other recommendations to secure the log files?

Security System Administration Installation and Deployment
Moderation Team has archived post