Working on a regex pattern for a watcher that will detect if credit card information is present in our logs. I was hoping that Elastic would have a sample pattern for this as it's one of the specific examples you use here: https://www.elastic.co/products/stack/alerting
-- 
Credit card numbers are visible in your application logs and that's a compliance nightmare. It's time to talk with the application team.
The only other post I found for something similar to this would be from 2017
when you are searching across indexed log files with watcher you could use the regexp. This however is a pretty expensive query and an interesting question might be, if you are able to actually filter for the credit card pattern during ingestion (either within your ingestion tool or using an ingest processor) and flag those documents as potentially containing credit card information. Than your search for such alerts would become much faster and easier.
Thank you for your response. I do not expect to find much CC information in our logs as we already try to strip that before it gets ingested. This is more for reassurance than anything else. My plan would be to run a regex to find any string of numbers between 14-16 characters (VISA) in logs and store that in a payload and then run a second regex against the payload for actual credit card parameters. Hoping this will reduce the cost of the regex.
The docs from my test index hold messages like so:
American Express,376978891168364,Elijah Hall,Court Street 108,New Zealand,111,3367$,01/2023
342346589207954
6011-2940-4688-2620
5462 8434 9581 9941
I am able to find all the docs using this pattern.
Now I'd like to load the payload that these strings are saved to and then run a regex on that data for CC matches. Is that possible?
Any help is appreciated.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.