Anonymize values

Anonymize values

Below is an example of a log event from an application log. When a support engineer views this log, the customer wants to protect some of the information. For example SessionId and Ticket. They would like to mask these ID's except the last 4 characters. Ex. SessionId=###########7BEA&Ticket=############96EE

"2006-09-21, 02:57:11.58", 122, 11, "Path=/LoginUser Query=CrmId=ClientABC&ContentItemId=TotalAccess&SessionId=3A1785URH117BEA&Ticket=646A1DA4STF896EE&SessionTime=25368&ReturnUrl=http://www.clientabc.com, Method=GET, IP=209.51.249.195, Content=", ""

"2006-09-21, 02:57:11.60", 122, 15, "UserData:<User CrmId="clientabc" UserId="p12345678"><EntitlementList></EntitlementList></User>", ""

"2006-09-21, 02:57:11.60", 122, 15, "New Cookie: SessionId=3A1785URH117BEA&Ticket=646A1DA4STF896EE&CrmId=clientabc&UserId=p12345678&AccountId=&AgentHost=man&AgentId=man, MANUser: Version=1&Name=&Debit=&Credit=&AccessTime=&BillDay=&Status=&Language=&Country=&Email=&EmailNotify=&Pin=&PinPayment=&PinAmount=&PinPG=&PinPGRate=&PinMenu=&", ""

To anonymize the data you will need to modify your props.conf and regexes.conf files in the $SPLUNK_HOME/etc/bundles/local directory. In your props.conf add the following:

	[source::source-to-anonymize]
	REGEXES-anonymize = session-anonymizer, ticket-anonymizer

In your regexes.conf you will want to add:

	[session-anonymizer]
	REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
	FORMAT = $1SessionId=########$2
	DEST_KEY = _raw
	[ticket-anonymizer]
	REGEX = (?m)^(.*)Ticket=\w+(\w{4}&.*)$
	FORMAT = $1Ticket=########$2
	DEST_KEY = _raw

There is a problem with this scenario -- the regex processor can't handle multi-line events. To get around this you need to tell the regex.conf that the event is multi-line -- add a (?m) before the regular expression.

• Was this topic useful?
• Post a comment