How to Mask or Hash a certain details on my SMTP Logs Message

_Hi Guys, Im sending a smtp logs to our MSSP using logstash but we are required to mask some details on our logs like sender and recipient email address and subject before forwarding it to our MSSP due to some privacy requirements .. Please see sample logs below.. Im not sure if this is possible... I'm newbie to logstash and I don't know where to start.. _

Are regular SMTP logs message:

2018:03:27-10:04:10 XMmailServer1 smtpd[28584]: SCANNER[28584]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.5.100.11" from="sender.name@senderaddress.com" to="recipient.name@receiveremail.com " subject="Re:Subject of the email need to hash or mask " queueid="1f0dy6-0007R2-62" size="34876"

Are required SMTP logs message output sample:
You will notice that we required to mask after the 5th digit of the sender,recipient and subject.

2018:03:27-10:04:10 MXServer1 smtpd[28584]: SCANNER[28584]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.5.100.11" from="sende####@senderaddress.com" to="recip####@receiveremail.com " subject="Re:Su#####" queueid="1f0dy6-0007R2-62" size="34876"

Thank you in advance for the help..!!

You can use regex with mutate's gsub function to do that, something like below might work...not sure how mutate handles regex flags....and I am a complete novice with regex so there might be a better way.

mutate {
  gsub => [
    "FieldName", "/.....@/g", "#####"
  ]
}

Thanks I think that's the right plugin .. but the my problem now is I don't know how to format or convert the logs sample below.

like from this message fields example : -~ from="sender.name@senderaddress.com"
to this message example output : -~ from="sende#####@senderaddress.com"

Thanks !

I'm sorry, I don't understand what you mean.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.