fix: OTLP logging improvements

opentelemetry-otlp/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## vNext
 
+- Improved error logging for gRPC and HTTP exporters. The status code is now
+  logged at WARN level, while potentially sensitive details (message, response
+  body) are logged at DEBUG level only. This prevents sensitive information
+  (like authentication tokens) from being logged at higher log levels.
+  **Note:** If you enable `DEBUG` level logging in production, these details 
+  will still be visible. Use `WARN` or higher for production centralized logging.
+  [#3021](https://github.com/open-telemetry/opentelemetry-rust/issues/3021)
 - Fix `NoHttpClient` error when multiple HTTP client features are enabled by using priority-based selection (`reqwest-client` > `hyper-client` > `reqwest-blocking-client`). [#2994](https://github.com/open-telemetry/opentelemetry-rust/issues/2994)
 - Add partial success response handling for OTLP exporters (traces, metrics, logs) per OTLP spec. Exporters now log warnings when the server returns partial success responses with rejected items and error messages. [#865](https://github.com/open-telemetry/opentelemetry-rust/issues/865)
 - Refactor `internal-logs` feature in `opentelemetry-otlp` to reduce unnecessary dependencies[3191](https://github.com/open-telemetry/opentelemetry-rust/pull/3192)

opentelemetry-otlp/src/exporter/http/mod.rs

@@ -4,7 +4,7 @@ use super::{
 };
 use crate::{ExportConfig, Protocol, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS};
 use http::{HeaderName, HeaderValue, Uri};
-use opentelemetry::otel_debug;
+use opentelemetry::{otel_debug, otel_warn};
 use opentelemetry_http::{Bytes, HttpClient};
 use opentelemetry_proto::transform::common::tonic::ResourceAttributesWithSchema;
 #[cfg(feature = "logs")]
@@ -488,7 +488,15 @@ impl OtlpHttpClient {
 
         // Send request
         let response = client.send_bytes(request).await.map_err(|e| {
-            HttpExportError::new(0, format!("Network error: {e:?}")) // Network error
+            // Connection errors (e.g., "Connection refused", DNS failures) typically
+            // indicate user-side misconfigurations and don't contain sensitive data,
+            // so it's safe to log the error message at WARN level.
+            otel_warn!(
+                name: "HttpClient.ExportFailed",
+                url = request_uri.as_str(),
+                error = format!("{e}")
+            );
+            HttpExportError::new(0, "HTTP export failed".to_string())
         })?;
 
         let status_code = response.status().as_u16();
@@ -499,12 +507,18 @@ impl OtlpHttpClient {
             .map(|s| s.to_string());
 
         if !response.status().is_success() {
-            let message = format!(
-                "HTTP export failed. Url: {}, Status: {}, Response: {:?}",
-                request_uri,
-                status_code,
-                response.body()
+            otel_warn!(
+                name: "HttpClient.ExportFailed",
+                status_code = status_code,
+                url = request_uri.as_str()
+            );
+            // Response body may contain sensitive information,
+            // so log it at debug level only.
+            otel_debug!(
+                name: "HttpClient.ExportFailedDetails",
+                response_body = format!("{:?}", response.body())
             );
+            let message = "HTTP export failed".to_string();
             return Err(match retry_after {
                 Some(retry_after) => {
                     HttpExportError::with_retry_after(status_code, retry_after, message)

opentelemetry-otlp/src/exporter/tonic/logs.rs

@@ -94,8 +94,22 @@ impl LogExporter for TonicLogsClient {
                                 .interceptor
                                 .call(Request::new(()))
                                 .map_err(|e| {
+                                    otel_warn!(
+                                        name: "TonicLogsClient.InterceptorFailed",
+                                        grpc_code = format!("{:?}", e.code())
+                                    );
+                                    // grpc_message and grpc_details may contain sensitive information,
+                                    // so log them at debug level only.
+                                    otel_debug!(
+                                        name: "TonicLogsClient.InterceptorFailedDetails",
+                                        grpc_message = e.message(),
+                                        grpc_details = format!("{:?}", e.details())
+                                    );
                                     // Convert interceptor errors to tonic::Status for retry classification
-                                    tonic::Status::internal(format!("interceptor error: {e:?}"))
+                                    tonic::Status::internal(&format!(
+                                        "Logs export failed in interceptor with gRPC code: {:?}",
+                                        e.code()
+                                    ))
                                 })?
                                 .into_parts();
                             Ok((inner.client.clone(), m, e))
@@ -137,9 +151,47 @@ impl LogExporter for TonicLogsClient {
         .await
         {
             Ok(_) => Ok(()),
-            Err(tonic_status) => Err(OTelSdkError::InternalFailure(format!(
-                "export error: {tonic_status:?}"
-            ))),
+            Err(tonic_status) => {
+                // For connection-related errors (Unavailable, Unknown, etc.), the message
+                // typically contains safe, actionable information (e.g., "Connection refused").
+                // For auth errors (Unauthenticated, PermissionDenied), the message may contain
+                // sensitive information, so we only log the code at WARN level.
+                let code = tonic_status.code();
+                let is_connection_error = matches!(
+                    code,
+                    tonic::Code::Unavailable
+                        | tonic::Code::Unknown
+                        | tonic::Code::DeadlineExceeded
+                        | tonic::Code::ResourceExhausted
+                        | tonic::Code::Aborted
+                        | tonic::Code::Cancelled
+                );
+
+                if is_connection_error {
+                    otel_warn!(
+                        name: "TonicLogsClient.ExportFailed",
+                        grpc_code = format!("{:?}", code),
+                        grpc_message = tonic_status.message()
+                    );
+                } else {
+                    // For potentially sensitive errors (Unauthenticated, PermissionDenied, etc.),
+                    // only log the code at WARN level.
+                    otel_warn!(
+                        name: "TonicLogsClient.ExportFailed",
+                        grpc_code = format!("{:?}", code)
+                    );
+                    // Log message and details at debug level for sensitive error types.
+                    otel_debug!(
+                        name: "TonicLogsClient.ExportFailedDetails",
+                        grpc_message = tonic_status.message(),
+                        grpc_details = format!("{:?}", tonic_status.details())
+                    );
+                }
+                Err(OTelSdkError::InternalFailure(format!(
+                    "Logs export failed with gRPC code: {:?}",
+                    code
+                )))
+            }
         }
     }
 

opentelemetry-otlp/src/exporter/tonic/metrics.rs

@@ -85,9 +85,18 @@ impl MetricsClient for TonicMetricsClient {
                                 .interceptor
                                 .call(Request::new(()))
                                 .map_err(|e| {
-                                    tonic::Status::internal(format!(
-                                        "unexpected status while exporting {e:?}"
-                                    ))
+                                    otel_warn!(
+                                        name: "TonicMetricsClient.InterceptorFailed",
+                                        grpc_code = format!("{:?}", e.code())
+                                    );
+                                    // grpc_message and grpc_details may contain sensitive information,
+                                    // so log them at debug level only.
+                                    otel_debug!(
+                                        name: "TonicMetricsClient.InterceptorFailedDetails",
+                                        grpc_message = e.message(),
+                                        grpc_details = format!("{:?}", e.details())
+                                    );
+                                    tonic::Status::internal("Metrics export failed in interceptor")
                                 })?
                                 .into_parts();
                             Ok((inner.client.clone(), m, e))
@@ -127,9 +136,46 @@ impl MetricsClient for TonicMetricsClient {
         .await
         {
             Ok(_) => Ok(()),
-            Err(tonic_status) => Err(OTelSdkError::InternalFailure(format!(
-                "export error: {tonic_status:?}"
-            ))),
+            Err(tonic_status) => {
+                // For connection-related errors (Unavailable, Unknown, etc.), the message
+                // typically contains safe, actionable information (e.g., "Connection refused").
+                // For auth errors (Unauthenticated, PermissionDenied), the message may contain
+                // sensitive information, so we only log the code at WARN level.
+                let code = tonic_status.code();
+                let is_connection_error = matches!(
+                    code,
+                    tonic::Code::Unavailable
+                        | tonic::Code::Unknown
+                        | tonic::Code::DeadlineExceeded
+                        | tonic::Code::ResourceExhausted
+                        | tonic::Code::Aborted
+                        | tonic::Code::Cancelled
+                );
+
+                if is_connection_error {
+                    otel_warn!(
+                        name: "TonicMetricsClient.ExportFailed",
+                        grpc_code = format!("{:?}", code),
+                        grpc_message = tonic_status.message()
+                    );
+                } else {
+                    // For potentially sensitive errors (Unauthenticated, PermissionDenied, etc.),
+                    // only log the code at WARN level.
+                    otel_warn!(
+                        name: "TonicMetricsClient.ExportFailed",
+                        grpc_code = format!("{:?}", code)
+                    );
+                    // Log message and details at debug level for sensitive error types.
+                    otel_debug!(
+                        name: "TonicMetricsClient.ExportFailedDetails",
+                        grpc_message = tonic_status.message(),
+                        grpc_details = format!("{:?}", tonic_status.details())
+                    );
+                }
+                Err(OTelSdkError::InternalFailure(
+                    "Metrics export failed".into(),
+                ))
+            }
         }
     }
 

opentelemetry-otlp/src/exporter/tonic/trace.rs

@@ -96,8 +96,19 @@ impl SpanExporter for TonicTracesClient {
                                 .interceptor
                                 .call(Request::new(()))
                                 .map_err(|e| {
+                                    otel_warn!(
+                                        name: "TonicTracesClient.InterceptorFailed",
+                                        grpc_code = format!("{:?}", e.code())
+                                    );
+                                    // grpc_message and grpc_details may contain sensitive information,
+                                    // so log them at debug level only.
+                                    otel_debug!(
+                                        name: "TonicTracesClient.InterceptorFailedDetails",
+                                        grpc_message = e.message(),
+                                        grpc_details = format!("{:?}", e.details())
+                                    );
                                     // Convert interceptor errors to tonic::Status for retry classification
-                                    tonic::Status::internal(format!("interceptor error: {e:?}"))
+                                    tonic::Status::internal("Traces export failed in interceptor")
                                 })?
                                 .into_parts();
                             Ok((inner.client.clone(), m, e))
@@ -140,9 +151,44 @@ impl SpanExporter for TonicTracesClient {
         .await
         {
             Ok(_) => Ok(()),
-            Err(tonic_status) => Err(OTelSdkError::InternalFailure(format!(
-                "export error: {tonic_status:?}"
-            ))),
+            Err(tonic_status) => {
+                // For connection-related errors (Unavailable, Unknown, etc.), the message
+                // typically contains safe, actionable information (e.g., "Connection refused").
+                // For auth errors (Unauthenticated, PermissionDenied), the message may contain
+                // sensitive information, so we only log the code at WARN level.
+                let code = tonic_status.code();
+                let is_connection_error = matches!(
+                    code,
+                    tonic::Code::Unavailable
+                        | tonic::Code::Unknown
+                        | tonic::Code::DeadlineExceeded
+                        | tonic::Code::ResourceExhausted
+                        | tonic::Code::Aborted
+                        | tonic::Code::Cancelled
+                );
+
+                if is_connection_error {
+                    otel_warn!(
+                        name: "TonicTracesClient.ExportFailed",
+                        grpc_code = format!("{:?}", code),
+                        grpc_message = tonic_status.message()
+                    );
+                } else {
+                    // For potentially sensitive errors (Unauthenticated, PermissionDenied, etc.),
+                    // only log the code at WARN level.
+                    otel_warn!(
+                        name: "TonicTracesClient.ExportFailed",
+                        grpc_code = format!("{:?}", code)
+                    );
+                    // Log message and details at debug level for sensitive error types.
+                    otel_debug!(
+                        name: "TonicTracesClient.ExportFailedDetails",
+                        grpc_message = tonic_status.message(),
+                        grpc_details = format!("{:?}", tonic_status.details())
+                    );
+                }
+                Err(OTelSdkError::InternalFailure("Traces export failed".into()))
+            }
         }
     }