Fluentd often handles sensitive logs and credentials for downstream systems.
- Restrict input plugins to trusted sources only.
- Validate and sanitize parsed records before forwarding.
- Use TLS for all remote forward/output destinations.
¶ Secret and Plugin Hardening
- Store output credentials in secret manager, not plaintext config.
- Minimize installed plugins to required set.
- Keep Fluentd and gems patched.