topic Re: Mask Splunk access logs in Security

Mask Splunk access logs

BryanBerry — Tue, 01 Oct 2013 17:47:32 GMT

I'm wondering if it's possible to mask/scrub the Splunk access logs. If so, how?

It's for a security requirement. We have a search page that does a one-way hash of an input value and searches for the hash, but we don't want any written record of the input value. This value would appear in the Splunk access logs for a given request.

Edit:
I would like to do this for the Splunk access logs on the filesystem.

Re: Mask Splunk access logs

alacercogitatus — Tue, 01 Oct 2013 20:58:54 GMT

Yes, yes you can. You will need to make a transforms for the splunkd_access logs. Ref: http://docs.splunk.com/Documentation/Splunk/5.0.5/admin/Transformsconf

props.conf
[splunkd_access] TRANSFORMS-splunkdhash = splunkd-masker

transforms.conf
[splunkd-masker] REGEX = (?m)^(.*)fieldofhash=YOUR_REGEX_FOR_HASH(.*)$ FORMAT = $1=anonyhash$2 DEST_KEY = _raw

Re: Mask Splunk access logs

BryanBerry — Tue, 01 Oct 2013 21:13:25 GMT

Sorry, I wasn't clear. I mean to mask Splunk's access logs on the filesystem itself.

Re: Mask Splunk access logs

alacercogitatus — Mon, 07 Oct 2013 17:30:37 GMT

Then no. Splunkd writes those out. You could cron a script to replace in the file, but then Splunk re-indexes it.

Re: Mask Splunk access logs

dwaddle — Mon, 07 Oct 2013 17:37:55 GMT

It is likely not possible to mask these directly in the Splunk access logs before they are written to flat files on disk. It may be possible with some deep hacking into Splunkweb and/or new framework (written in python) - but if it is showing up in the splunkd_access.log, then that's compiled C++ code that you cannot even change.

Re: Mask Splunk access logs

BryanBerry — Mon, 07 Oct 2013 17:55:45 GMT

Not the answer I was hoping for, but an effective answer. Thanks