shree2
January 21, 2021, 4:45pm
1
Hi,
I want to mask the few fields input is coming from json . Please find the configuration below.[a-z])(?=. [A-Z])(?=#.\d)(?=. [#@!%*?&])[a-zA-Z\d@ !%?#&]{8,})", "PASSWORD ***" ]
After running logstash iam getting the output of json without masking
Getting output like this@version " => "1",@timestamp " => 2021-01-21T16:42:41.649Z,
Can you find guide me how to mask those fields.
Thanks,
Badger
January 21, 2021, 5:02pm
2
I would suggest doing the masking after parsing the JSON, but if you want to do it before the gsub patterns would have to result in valid JSON, so something like
"message", '"PIN": \d{4}', '"PIN": "****"'
shree2
January 22, 2021, 7:08am
3
Hi,
I tried parsing json first then mutate gsub even though it's not masking, resulting valid json output.
input
}
}
output
{
}
output:
{
"PIN" => 1234,
"message" => "{\"PIN\":1234}\r",
"@timestamp" => 2021-01-22T07:05:04.730Z,
"@version" => "1",
"host" => "host"
}
Badger
January 22, 2021, 5:35pm
4
If you are going to parse the JSON before doing the mutates then you need to mutate the parsed fields, not the [message] field.
shree2
January 22, 2021, 5:53pm
5
You mean like this.
Copy to clipboard
}
shree2
January 22, 2021, 5:54pm
6
mutate
}
Badger
January 22, 2021, 6:56pm
7
No, more like
mutate { convert => { "PIN" => "string" } }
mutate { gsub => [ "PIN", "\d{4}", "****" ] }
shree2
January 24, 2021, 3:35pm
8
Hi,
I tried the same. But output is not masking.@version " => "1",@timestamp " => 2021-01-24T15:33:54.686Z,
Badger
January 24, 2021, 4:05pm
9
shree2:
"PIN" => 1234,
PIN in an integer there, not a string, so clearly you have not applied the filters I suggested.
shree2
January 25, 2021, 4:52am
10
Hi,
Here is the filter part which i parsed.
mutate
}
shree2
January 29, 2021, 3:31pm
11
Hi,
Any solution?? Waiting for the response.
Thanks
system
February 26, 2021, 3:32pm
12
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.