elastic · xrmx · Oct 3, 2025 · Sep 25, 2025 · Oct 3, 2025 · Oct 3, 2025
@@ -92,7 +92,10 @@ def _configure(self, **kwargs):
         super()._configure(**kwargs)
 
         # set our local config based on environment variables
-        _initialize_config()
+        config = _initialize_config()
+
+        # collect and log all OTEL related env variables to ease troubleshooting
+        config.log_env_vars()
 
         enable_opamp = False
         endpoint = os.environ.get(ELASTIC_OTEL_OPAMP_ENDPOINT)

@@ -20,6 +20,7 @@
 import os
 from dataclasses import dataclass
 
+from elasticotel.distro.sanitization import _sanitize_headers_env_vars
 from opentelemetry import trace
 from opentelemetry._opamp import messages
 from opentelemetry._opamp.agent import OpAMPAgent
@@ -91,6 +92,17 @@ class Config:
     def to_dict(self):
         return {LOGGING_LEVEL_CONFIG_KEY: self.logging_level.value, SAMPLING_RATE_CONFIG_KEY: self.sampling_rate.value}
 
+    def log_env_vars(self):
+        # log all the environment variables that starts with OTEL_ or ELASTIC_OTEL_ to ease troubleshooting
+        env_vars = [
+            _sanitize_headers_env_vars(k, v)
+            for k, v in os.environ.items()
+            if k.startswith("OTEL_") or k.startswith("ELASTIC_OTEL_")
+        ]
+        logger.info("EDOT Configuration")
+        for k, v in sorted(env_vars):
+            logger.info("%s: %s", k, v)
+
     def _handle_logging(self):
         # do validation, we only validate logging_level because sampling_rate is handled by the sdk already
         logging_level = _LOG_LEVELS_MAP.get(self.logging_level.value)

@@ -0,0 +1,51 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from opentelemetry.util.re import parse_env_headers
+import re
+
+MASK = "[REDACTED]"
+
+# entries are regexes
+_KEYS_TO_SANITIZE = [
+    "password",
+    "passwd",
+    "pwd",
+    "secret",
+    ".*key",
+    ".*session.*",
+    ".*token.*",
+    ".*auth.*",
+]
+KEYS_TO_SANITIZE = [re.compile(entry) for entry in _KEYS_TO_SANITIZE]
+
+
+def _sanitize_headers_env_vars(env_var_name: str, env_var_value: str):
+    # we take care only of headers because that's where secrets may be stored
+    if "HEADERS" not in env_var_name:
+        return (env_var_name, env_var_value)
+
+    # liberal is required to handle values that are not url encoded
+    headers = parse_env_headers(env_var_value, liberal=True)
+
+    sanitized = []
+    for key, value in headers.items():
+        if any(key_re.search(key) for key_re in KEYS_TO_SANITIZE):
+            sanitized.append(f"{key}={MASK}")
+        else:
+            sanitized.append(f"{key}={value}")
+
+    return (env_var_name, ",".join(sanitized))
@@ -270,6 +270,37 @@ def test_configurator_handles_invalid_elastic_otel_log_level(self):
         self.assertEqual(logging.getLogger("opentelemetry").getEffectiveLevel(), logging.WARNING)
         self.assertEqual(logging.getLogger("elasticotel").getEffectiveLevel(), logging.WARNING)
 
+    @mock.patch.dict(
+        "os.environ",
+        {
+            "OTEL_LOG_LEVEL": "info",
+            "ELASTIC_OTEL_SOMETHING": "elastic",
+            "ELASTIC_OTEL_HEADERS": "api-key=secret",
+            "UNRELATED": "ignored",
+        },
+        clear=True,
+    )
+    def test_configurator_log_otel_env_vars_at_info_level(self):
+        with self.assertLogs("elasticotel", level="INFO") as cm:
+            ElasticOpenTelemetryConfigurator()._configure()
+
+        self.assertEqual(
+            cm.output,
+            [
+                "INFO:elasticotel.distro.config:EDOT Configuration",
+                "INFO:elasticotel.distro.config:ELASTIC_OTEL_HEADERS: api-key=[REDACTED]",
+                "INFO:elasticotel.distro.config:ELASTIC_OTEL_SOMETHING: elastic",
+                "INFO:elasticotel.distro.config:OTEL_LOG_LEVEL: info",
+            ],
+        )
+
+    @mock.patch.dict("os.environ", {"ELASTIC_OTEL_VAR": "elastic"}, clear=True)
+    @mock.patch("elasticotel.distro.config.logger")
+    def test_configurator_does_not_log_otel_env_vars_by_default(self, logger_mock):
+        ElasticOpenTelemetryConfigurator()._configure()
+
+        logger_mock.assert_not_called()
+
 
 class TestOpAMPHandler(TestCase):
     @mock.patch.object(logging, "getLogger")
@@ -329,7 +360,7 @@ def test_fails_if_cannot_decode_elastic_config_json(self, logger_mock, get_confi
             remote_config_hash=b"1234", status=opamp_pb2.RemoteConfigStatuses_FAILED, error_message=error_message
         )
         client._update_effective_config.assert_called_once_with(
-            {"elastic": {"logging_level": "info", "sampling_rate": "1.0"}}
+            {"elastic": {"logging_level": "warn", "sampling_rate": "1.0"}}
         )
         client._build_remote_config_status_response_message.assert_called_once_with(
             client._update_remote_config_status()
@@ -357,7 +388,7 @@ def test_fails_if_elastic_config_is_not_json(self, logger_mock, get_config_mock)
             remote_config_hash=b"1234", status=opamp_pb2.RemoteConfigStatuses_FAILED, error_message=error_message
         )
         client._update_effective_config.assert_called_once_with(
-            {"elastic": {"logging_level": "info", "sampling_rate": "1.0"}}
+            {"elastic": {"logging_level": "warn", "sampling_rate": "1.0"}}
         )
         client._build_remote_config_status_response_message.assert_called_once_with(
             client._update_remote_config_status()

@@ -0,0 +1,66 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from unittest import TestCase
+
+from elasticotel.distro.sanitization import _sanitize_headers_env_vars
+
+
+class TestSanitizeHeadersEnvVars(TestCase):
+    def test_ignores_non_headers(self):
+        sanitized = _sanitize_headers_env_vars("ENDPOINT", "api-key=secret")
+        self.assertEqual(sanitized, ("ENDPOINT", "api-key=secret"))
+
+    def test_sanitizes_single_item(self):
+        sanitized = _sanitize_headers_env_vars("HEADERS", "api-key=secret")
+        self.assertEqual(sanitized, ("HEADERS", "api-key=[REDACTED]"))
+
+    def test_sanitizes_list_of_items(self):
+        sanitized = _sanitize_headers_env_vars(
+            "HEADERS",
+            "api-key=secret,password=secret,passwd=secret,pwd=secret,secret=secret,key=secret,sessionid=secret,auth-token=secret,token=secret,bearer-token=auth,auth=secret",
+        )
+        self.assertEqual(
+            sanitized,
+            (
+                "HEADERS",
+                "api-key=[REDACTED],password=[REDACTED],passwd=[REDACTED],pwd=[REDACTED],secret=[REDACTED],key=[REDACTED],sessionid=[REDACTED],auth-token=[REDACTED],token=[REDACTED],bearer-token=[REDACTED],auth=[REDACTED]",
+            ),
+        )
+
+    def test_ignores_other_values_single_item(self):
+        sanitized = _sanitize_headers_env_vars("HEADERS", "content-type=no-secret")
+        self.assertEqual(sanitized, ("HEADERS", "content-type=no-secret"))
+
+    def test_ignores_other_values_list_of_items(self):
+        sanitized = _sanitize_headers_env_vars("HEADERS", "content-type=no-secret,other-header=no-secret")
+        self.assertEqual(sanitized, ("HEADERS", "content-type=no-secret,other-header=no-secret"))
+
+    def test_handles_mixed_list_of_items(self):
+        sanitized = _sanitize_headers_env_vars("HEADERS", "api-key=secret,content-type=no-secret")
+        self.assertEqual(sanitized, ("HEADERS", "api-key=[REDACTED],content-type=no-secret"))
+
+    def test_drops_invalid_entries(self):
+        sanitized = _sanitize_headers_env_vars("HEADERS", "content-type:no-secret")
+        self.assertEqual(sanitized, ("HEADERS", ""))
+
+    def test_case_insensitive(self):
+        sanitized = _sanitize_headers_env_vars("HEADERS", "Authorization=ApiKey")
+        self.assertEqual(sanitized, ("HEADERS", "authorization=[REDACTED]"))
+
+    def test_handles_spaces(self):
+        sanitized = _sanitize_headers_env_vars("HEADERS", "authorization=api-key secret")
+        self.assertEqual(sanitized, ("HEADERS", "authorization=[REDACTED]"))