Sensitive information parsing

mohank44 · February 20, 2018, 4:40pm

Hello All,

I am trying to mask a sensitive information from a log message.

I have given the sample log file and the config file as below. i was trying to do this using gsub with no success. Please review and advise at the earliest.

Sample Log Message :

2018-01-10T16:58:16.925-0700 |[WebContainer : 0]| TRACE | sent | Sent response [<soapenv:Envelope xmlns:soapenv="http://xyz.mlsop.com//envelope/" FirstName>MOHAN1949-12-01

Output from Logstash :

      "Type" => "TRACE",
      "Task" => "sent",
"@timestamp" => 2018-02-20T16:21:35.948Z,
  "Messsage" => " CO Region Expiry days not added to the expiration Date",
  "@version" => "1",
      "host" => "oc1008401175.ibm.com",
   "message" => "2018-01-10T16:58:16.925-0700 |[WebContainer : 0]| TRACE | sent | Sent response [<soapenv:Envelope xmlns:soapenv="http://xyz.mlsop.com//envelope/" FirstName><MiddleName></MiddleName><LastName>MOHAN</LastName><DateOfBirth>1949-12-01</DateOfBirth>",
      "Date" => "2018-01-10T16:58:16.925-0700",
 "MsgSource" => "[WebContainer : 6]",

Config file:

input {
file {
path => "/home/mohank44/Data/6LogAnalysis/PSI/PSItest5.log"
#type => "LOG"
start_position => "beginning"
codec => multiline
{
pattern => "^\A%{TIMESTAMP_ISO8601}%{SPACE}|%{SYSLOG5424SD}|%{SPACE}%{WORD}"
negate => true
what => previous
} }
}
filter{
mutate
{
gsub => ["message", "\n", ""]
gsub => ["message", "\r", ""]
gsub => ["message", "\t", ""]
gsub => ["message", "(%[a-zA-z0-9-]+)", "yyyy-mm-dd"]
}
grok {
match => [ "message", "\A%{TIMESTAMP_ISO8601:Date}%{SPACE}|%{SYSLOG5424SD:MsgSource}|%{SPACE}%{WORD:Type}%{SPACE}|%{SPACE}%{WORD:Task}%{SPACE}|%{GREEDYDATA:Messsage}" ]
overwrite => [ "message" ]
}
date {
match => [ "Date","yyyy-MM-dd'T'HH:mm:ss.SSS-ZZZZ"]
target => "Date"
}

}
output
{
stdout {codec => rubydebug}
#stdout{}
elasticsearch
{
hosts => "localhost"
index => "log-psi-index3"
}
}
Expected Output :

"Message" => "2018-01-10T16:58:16.925-0700 |[WebContainer : 0]| TRACE | sent | Sent response [<soapenv:Envelope xmlns:soapenv="http://xyz.mlsop.com//envelope/" FirstName>MOHANyyyy-mm-dd"

magnusbaeck · February 20, 2018, 8:13pm

gsub => ["message", "(%[a-zA-z0-9-]+)", "yyyy-mm-dd"]

Why do you have a % in your expression? There's no such thing in your input data.
[a-zA-z0-9-]+ is too broad and will match every word.

mohank44 · February 21, 2018, 4:42am

gsub => ["message", "^\d+-\d+-\d+$", "yyyy-mm-dd"]

changed as above, still no success.

Sample Log Message :
2018-01-10T16:58:16.925-0700 |[Container : 0]| TRACE | sent | Sent response [MOHAN1949-12-01<Last4SSN xsi:nil="true"/

magnusbaeck · February 21, 2018, 5:33am

Why do you have ^ and $ in your expression? They anchor the rest of the expression to the beginning and end of the line so you'll only replace date-like sequences if that's the only thing the input line contains.

system · March 21, 2018, 5:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to Mask or Hash a certain details on my SMTP Logs Message Logstash	4	694	April 24, 2018
Need help to mask XML elements Logstash	5	656	November 9, 2020
How to mask sensitive data in logstash Logstash	3	3639	March 29, 2019
Anonymization of sensitive data by Logstash Logstash	9	1935	September 22, 2020
Mask parts of the message Logstash	4	968	April 26, 2018

Sensitive information parsing

Related topics