How to mutate sensitive data in logstash

Input : "refNo":"0015531891539643", cardNo=6055490201604225

Requirment: The requirement is to show the start 6 digits and last 4 digits and mask the remaining numbers of cardNo in logstash. I applied gsub/mutate filter but the replacement string doesn't allow regex. Any other way this can be done in logstash alone cardNo, not refNo?

Output : "refNo":"0015531891539643", cardNo=605549******4225

Provided that you always want ****** (and not to match the number of digits masked) then you could do it using

mutate { gsub => [ "message", "(cardNo=[0-9]{6})[0-9]+([0-9]{4})", "\1******\2" ] }

i tried with below

filter {
mutate {
gsub => [ "message", "cardNo : ([0-9]{4})[0-9]+([0-9]{4})", "******" ]
}
}

Output : its not working.

Could you help me on it

Your initial post said you have "cardNo=", not "cardNo : "

sorry,

now changed into
filter {
mutate {
gsub => [ "message", "cardNo= ([0-9]{4})[0-9]+([0-9]{4})", "******" ]
}
}

but the output is the same.

HI Badger,

i am using given below regex, but the out is not hide the card no alone if the input : "refNo":"0015531891539643", cardNo=6055490201604225

filter {
mutate {
gsub => [ "message", "cardNo= ([0-9]{4})[0-9]+([0-9]{4})", "******" ]
}
}

Input : "refNo":"0015531891539643", cardNo=6055490201604225
filter {
mutate {
gsub => ["message", "cardNo=(\d{6})(\d{6})(\d{4})", "\1######\3"]
}
}

Output : refNo:0015531891539643,605549######4225

Problem statement : "cardNo=" is missing

Use the filter I suggested instead of the one you are using. It includes cardNo= in the capture group. Also, there is no point is creating capture groups that you do not backreference.

mutate { gsub => [ "message", "(cardNo=[0-9]{6})[0-9]+([0-9]{4})", "\1******\2" ] }

thanks for the support, it has been filtered,

one more query if the input is "expiryDate":"2109"

how to filter it ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.