Anonymize part of string

ddoroshenko · October 24, 2023, 11:42am

Hi,

I have access logs which contains sensitive data

[2023-00-00T00:00:00.000] ... "GET /example.com/foo/bar?password=SecretPassword&user=UserName" ...

Is it possible to anonymize password value in that string?

leandrojmp · October 24, 2023, 12:09pm

The following gsub filter can do that:

filter {
    mutate {
        gsub => ["fieldName","password=(\S+)&user","password=REDACTED&user"]
    }
}

Where the fieldName is the field that has the following string:

/example.com/foo/bar?password=SecretPassword&user=UserName

sholzhauer · October 26, 2023, 10:29am

On a non-elastic related note, using the URL to store secrets is bad idea, if at all possible I would advise you to have the application changed instead of only obfuscating the logs within elastic.

Couple of sources to help understand why this is a bad idea:

Information exposure through query strings in url | OWASP Foundation
OWASP Top Ten 2017 | A3:2017-Sensitive Data Exposure | OWASP Foundation
web application - Should sensitive data ever be passed in the query string? - Information Security Stack Exchange

ddoroshenko · October 26, 2023, 12:30pm

@leandrojmp thank you for advice.

I've solved it with adding processors section into filebeat configuration

processors:
  - script:
      lang: javascript
      source: >
        function process(event) {
            event.Put("message, event.Get("message")
              .replace(/(password=)[set of symbols]+(&?), "$1HIDDEN$2")
              .replace(/(user=)[set of symbols]+(&?), "$1HIDDEN$2");
            return.event
        }

system · November 23, 2023, 12:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.