topic Re: SEDCMD to anonymize CC data isnt working in Getting Data In

SEDCMD to anonymize CC data isnt working

doreno — Tue, 19 Feb 2013 19:03:46 GMT

Hi,

Ive been playing with the SEDCMD in my props.conf to anonymize CC data in a log.

Originally I tried this:

[host::nas.x.com]
SEDCMD-cc_anon = s/strRtCardNum:\s+\d{16}/strRtCardNum: ################/g

I changed that based on the splunk example given:

SEDCMD-accounts = s/ssn=\d{5}(\d{4})/ssn=xxxxx\1/g s/cc=(\d{4}-){3}(\d{4})/cc=xxxx-xxxx-xxxx-\2/

So now its this:

[host::nas.x.com]
SEDCMD-cc_anon = s/strRtCardNum=\s+\d{16}/strRtCardNum= ################/g

And its still not working. This is getting frustrating. Has anyone gotten this to work right? What am I doing wrong?

Re: SEDCMD to anonymize CC data isnt working

jonuwz — Tue, 19 Feb 2013 20:31:32 GMT

Can you provide a sample of the an original event ? (just set the cc number to 99999999999999 or something.

whats after the string strRtCardNum is it a : or a = ?
Is there really a space before the card number ?

Re: SEDCMD to anonymize CC data isnt working

Ayn — Tue, 19 Feb 2013 20:34:34 GMT

Is this done on a Universal Forwarder or an indexer?

Re: SEDCMD to anonymize CC data isnt working

doreno — Tue, 19 Feb 2013 20:51:31 GMT

Its in a props.conf that is being sent to all indexers with the deployment server.

Heres some sample data.

CheckoutServices.finishPaymentStartOrderReview: inside is mode check Shopper: 5555555
CheckoutServices.finishPaymentStartOrderReview: ccNum: 9999999999999999 Shopper: 5555555

strRTCardNum was something the splunk consultant put in before he left, though im not sure where he got it. Its never worked right.

Thanks guys!

Re: SEDCMD to anonymize CC data isnt working

Ayn — Tue, 19 Feb 2013 20:59:19 GMT

Well if the string "strRTCardNum" isn't in your event, then a regex looking for that string will obviously not match.

Re: SEDCMD to anonymize CC data isnt working

jonuwz — Tue, 19 Feb 2013 21:23:15 GMT

[host::nas.x.com]
SEDCMD-cc_anon = s/ccNum:\s+\d{16}/ccNum: ################/ s/Shopper:\s+\d+/Shopper: #####/

providing the data comes from host called nas.x.com

Re: SEDCMD to anonymize CC data isnt working

doreno — Tue, 19 Feb 2013 23:39:24 GMT

Thank you sir. Im trying this now and will let you know what happens.

Re: SEDCMD to anonymize CC data isnt working

mbenwell — Wed, 20 Feb 2013 01:24:32 GMT

I've found using perl on the command line is the easiest way to troubleshoot SEDCMD
i.e.
perl -pe 's/ccNum:\s([0-9]{16})/ccNum: xxxx/g'

It's a quick way to see if the SEDCMD works at all, and if the output is in the format you're trying to get

Re: SEDCMD to anonymize CC data isnt working

doreno — Wed, 20 Feb 2013 01:29:37 GMT

Awesome, that worked! Only problem is now I found some 15 digit american express cards that also need to be blocked out but I think I can figure that out. Thank you gentlemen very much!

Re: SEDCMD to anonymize CC data isnt working

mbenwell — Wed, 20 Feb 2013 01:40:26 GMT

try modifying \d{16} to \d{15,16}

Re: SEDCMD to anonymize CC data isnt working

doreno — Wed, 20 Feb 2013 02:08:44 GMT

ok, so can i take the string out altogether and simply match all 16 digit numbers in this log?

Re: SEDCMD to anonymize CC data isnt working

mbenwell — Wed, 20 Feb 2013 02:57:07 GMT

yeah, something like
s/\d{15,16}/xxxx/g
should work to replace all instances of 15 or 16 consecutive numbers
The "ccNum" string before hand is just to ensure the digits being matched are always after the string ccNum