Question

2
Replies
1230
Views
MaartenV9058 Member since 2014 6 posts
Rabobank
Posted: February 16, 2018
Last activity: March 9, 2018
Closed

How to make sure download of the log-files with direct URL requires authentication?

If you go to the Log landing page and open the Log Files, you can actually see a direct URL to log files. For example, the PegaRULES.log file can be downloaded using the following direct URL:

http://hostname/prweb/DiagnosticData?logType=PEGA&format=text

If you just type in this URL, it's also possible to download the log file without authentication (on a production system). This is at least also possible in Pega version 7.3.0.

According to this article https://pdn.pega.com/support-articles/pega-authentication-requirement-log-download , this seems to be an enhancement but we had a security finding on this.

Is there a way to configure this to make sure this authentication is used to download the log files? If not, any other recommendations to secure the log files?

Security System Administration Low-Code App Development Installation and Deployment
Moderation Team has archived post
Share this page LinkedIn