topic Anonymize the sensitive data no gaurantee in splunk? in Getting Data In

Anonymize the sensitive data no gaurantee in splunk?

splunkatl — Wed, 17 Oct 2012 20:24:29 GMT

I was failed to make the data anonymized in splunk .Passwords showing up in results even configured props and transforms.conf as meniotned in following doc.

http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Anonymizedatausingconfigurationfiles#Replace_strings_with_regex_match

Here is my example log lines

time: 20120912225738
dn: uid=xxxxxx,,dc=xxxx,dc=com
changetype: modify
replace: xxxPasswordData
xxxPasswordData: dLgizscxVCzeLVTO7kuVzmsjP973vDMMmu+fE6FcLiTX+fKuCcBDAPAQjvi
 fu3InFywq0ELXzHIYLhcCBpinxdPVlgNpMcWOENWTDUrqWt+lhBJ7zrfAhgEHJFdGTAmA3Sj/ITr
 sodsVCD8u4Y1X3+SLySA3hPKynu2+lzFdKiXuCgSF1ka4nTudeICruPRRx8gmdo6S6sQmV+O3Snn
 DJw==
-
replace: modifiersname
modifiersname: cn=xxxx,dc=xxxxx,dc=com
-
replace: modifytimestamp
modifytimestamp: 20120913025738Z
-

I need to mask the xxxPasswordData whenever it apperas with values as xxxPasswordData:############==

Here is Props.conf

[default]
sourcetype = auditlog

[auditlog]
TRANSFORMS-anonymize = xxxpassworddata, userpassword

Transforms.conf

[xxxpassworddata]
DEST_KEY = _raw
REGEX = (m?)xxxPasswordData\:\s([^\==]+).*)
FORMAT = xxxPasswordData:################==

After all above configurations. splunk just showing data in normal way with out masking .

Re: Anonymize the sensitive data no gaurantee in splunk?

kristian_kolb — Wed, 17 Oct 2012 21:02:20 GMT

I believe that there may be 3 things here (in no particular order);

your events are not being classified as auditlog at all. Therefore the TRANSFORMS-anonymize does not get applied. Verify that the events have the correct sourcetype.
Your regex capturing is wrong. Specifically the ([^\==]). Is that part of the log really multiline, or just linewrapped in your post? (\S+) could work instead, i.e. all non-whitespace characters. That would capture everything up to (and including) the ending ==
There seems to be a closing parentheses at the end of the regex, which may cause it to fail.

Hope this helps,

Kristian

Re: Anonymize the sensitive data no gaurantee in splunk?

dwaddle — Wed, 17 Oct 2012 21:16:55 GMT

Also, this change only affects new data. Previously indexed data will not be changed by this.

Re: Anonymize the sensitive data no gaurantee in splunk?

splunkatl — Thu, 18 Oct 2012 17:24:17 GMT

Kristian Thanks for responding!!
It will be a puzzle always to accomplish even a simple implementation task in splunk.
I have checked all your points
1)sourcetype is correct to what I mentioned in props.conf.
2) All Lines come exactly same as I copied in my previous post
3)Always testing with newly indexed data
4)slightly modified the REXEX, FORMAT remained unchanged.
REGEX =(?m)xxxPasswordData:\s(\S+)
FORMAT = xxxPasswordData:##########==
Result is, whole event is gone and replaced with just the line xxxPasswordData:################==
I think it actually masking the whole event instead of xxxPasswordData value line.

My desired output is
time: 20120912225738
dn: uid=xxxxxx,,dc=xxxx,dc=com
changetype: modify
replace: xxxPasswordData
xxxPasswordData: ############==
replace: modifiersname

modifiersname: cn=xxxx,dc=xxxxx,dc=com

replace: modifytimestamp

modifytimestamp: 20120913025738Z

Re: Anonymize the sensitive data no gaurantee in splunk?

_d_ — Fri, 19 Oct 2012 05:44:17 GMT

Try this:

REGEX =(?msi)^(.*?)xxxPasswordData:\s(.+?)(replace.*) FORMAT = $1xxxPasswordData:################==\n$3

Hope this helps,