Deployment Architecture

How can I enrypt of hash a field before index?

daniel333
Builder

Good morning,

I have a log file, that I am told by security the email addresses need to be hashed. Any idea how I do this?

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi daniel333,
as @Damien Dallimore said there isn't any way to do yhis in Splunk.
For one our customer, by suggest of Splunk Professional services, we encrypted a field in a log pre-processing it with an external PHP script that was using a certificate to have a reversible encrypting.
In this way we're able to decrypt the field and know the real value of this field (an account name in proxy navigating).
The procedure is that:

  • we receive syslogs from proxies in a syslog server,
  • we write them in a file,
  • we parse the file encrypting the account field,
  • we ingest it in Splunk.

Bye.
Giuseppe

0 Karma

Damien_Dallimor
Ultra Champion

If you want to hash a field or encrypt a field or encrypt a hash of a field (it's not clear from your post title and body) , then you can't do this natively with Splunk.You'll need an App/Add-On/Custom code etc... to perform some sort of pre-processing for you.

Depending on how you are indexing your data , you can get some ideas from this blog post : www.baboonbones.com/blog/get-binary-data-splunk/ , in particular the "Data Obfuscation in Splunk Enterprise" link.

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...