Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Anonymize -p password

narenpalepu
New Member
‎01-31-2018 04:35 PM

I need to anonymize -p passwords that are appearing in syslog.

Used
props.conf
[syslog_log_control]
source::/var/log/syslog
TRANSFORMS = auth-password-anonymizer

transforms.conf
auth-password-anonymize]
REGEX = -p [0-9A-Za-z]\w{9,255}
FORMAT = $1-p =########$2
DEST_KEY = _raw

I am seeing syslog Cannot parse into key-value pair errors

02-01-2018 00:17:29.320 +0000 WARN ProcessTracker - (child_183__Fsck) IniFile - /opt/splunk/etc/slave-apps/_cluster/local/props.conf, line 95: Cannot parse into key-value pair: source::/var/log/syslog

Please advise

Thanks,

NP

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎01-31-2018 06:29 PM

You have no capture groups defined in your regex, and thus $1 and $2 can't be used. Try this:

REGEX = ^(.*)-p [0-9A-Za-z]\w{9,255}(.*?)$
FORMAT = $1-p ########$2

Though it may make sense to use SEDCMD here instead, because you can more easily replace part of a string (instead of rewriting the entire string from components, as you're doing above).

In props.conf:

[syslog_log_control]
SEDCMD-anonymize = s/-p [0-9A-Za-z]\w{9,255}/-p ########/

View solution in original post

Reply
Solved! Jump to solution

narenpalepu
New Member
‎01-31-2018 07:02 PM

Thanks a lot to both .

props.conf
[source::/var/log/syslog]
TRANSFORMS = auth-password-anonymizer

transforms.conf
[auth-password-anonymizer]
REGEX = ^(.)-p [0-9A-Za-z]\w{9,255}(.?)$
FORMAT = $1-p ########$2
DEST_KEY = _raw

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎01-31-2018 06:29 PM

You have no capture groups defined in your regex, and thus $1 and $2 can't be used. Try this:

REGEX = ^(.*)-p [0-9A-Za-z]\w{9,255}(.*?)$
FORMAT = $1-p ########$2

Though it may make sense to use SEDCMD here instead, because you can more easily replace part of a string (instead of rewriting the entire string from components, as you're doing above).

In props.conf:

[syslog_log_control]
SEDCMD-anonymize = s/-p [0-9A-Za-z]\w{9,255}/-p ########/
Reply
Solved! Jump to solution

maciep
Champion
‎01-31-2018 05:47 PM

are you trying to set the source to /var/log/syslog? Or is that the source you want to apply the transform to? I don't think your props is doing either correctly, which is why I think it's barking at you.

but it also looks like you may have typed that in above or missed some bits during copy/paste, so not sure if that's exactly how your config looks?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...