Mask parts of the message

Kissa_Koira · March 27, 2018, 5:21am

I am sending application exceptions from winlogbeat to logstash. Some parts of the message might contain information I want to mask. For example User and Host. How can I do that? Matched string is:

"message" => "27.03.2018 07:53:39 [ERROR] at MyApp.Controllers.Controller.OnException: \nMessage: Controller exception!\nUser: TestUser \nHost: MyLaptop\n\nSystem.Exception: Testing\n at MyApp.Controllers.DoController.Do() in C:\Users\User\Source\Controllers\DoController.cs:line 20\n at lambda_method(Closure , ControllerBase , Object[] )\n at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters)\n

Edit: forgot to add the configuration I am working with. This is from logstash which find the "User" just fine but it should find the whole line between \n and \n

		mutate {
			gsub => [
				"message", "[\n]^User", "\ntesting"
				
			]
		}

Kissa_Koira · March 27, 2018, 7:21am

I am able to match the needed field with:

		mutate {
			gsub => [
				"message", "[\n]^User.*\n", "testingn"
				
			]
		}

So all I have left is the masking part.

Kissa_Koira · March 27, 2018, 12:14pm

Could someone help me on hashing that field which I can match with that gsub statement? Hashing and unhashing.

Kissa_Koira · March 29, 2018, 7:40am

After some testing I figured this out. I can get the user data to new field with

		grok { 
			match => {
				"message" => "User:%{GREEDYDATA:user}Host" 
			} 
		}

Then I can encode it with base64

		ruby {
			init => "require 'base64'"
			code => "event.set'[encoded]', Base64.encode64(event.get'[user]')" 
		}

system · April 26, 2018, 7:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.