Anonymize part of string


I have access logs which contains sensitive data

[2023-00-00T00:00:00.000] ... "GET /" ...

Is it possible to anonymize password value in that string?

The following gsub filter can do that:

filter {
    mutate {
        gsub => ["fieldName","password=(\S+)&user","password=REDACTED&user"]

Where the fieldName is the field that has the following string:

1 Like

On a non-elastic related note, using the URL to store secrets is bad idea, if at all possible I would advise you to have the application changed instead of only obfuscating the logs within elastic.

Couple of sources to help understand why this is a bad idea:

@leandrojmp thank you for advice.

I've solved it with adding processors section into filebeat configuration

  - script:
      lang: javascript
      source: >
        function process(event) {
            event.Put("message, event.Get("message")
              .replace(/(password=)[set of symbols]+(&?), "$1HIDDEN$2")
              .replace(/(user=)[set of symbols]+(&?), "$1HIDDEN$2");

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.