Passwords in Puppet Log files
we're running Puppet in v3.0.1. When introducing tools to manage log files from central points (like e.g. Logstash, we became more aware of the passwords that are stored in the puppet log files on the nodes.
When puppet sets or re-sets a password in the configuration, based on the module technique those show up in the log files. A
file_line with a match (coming with stdlib to only control the credentials in a configuration file will become distributed that way to other locations and accessible through log-analyzing tools as well.
Currently we adjusted filters in the log-tools to suppress the password information being populate back into the analyzing tools.
Nonetheless is there a known way (or updated puppet version) that can reduce or limit the output into the log files on the client side in order to avoid credentials showing up in the node log files?
Are there any other suggestions or workarounds?
Thanks for all opinions.