I was failed to make the data anonymized in splunk .Passwords showing up in results even configured props and transforms.conf as meniotned in following doc.
Here is my example log lines
time: 20120912225738
dn: uid=xxxxxx,,dc=xxxx,dc=com
changetype: modify
replace: xxxPasswordData
xxxPasswordData: dLgizscxVCzeLVTO7kuVzmsjP973vDMMmu+fE6FcLiTX+fKuCcBDAPAQjvi
fu3InFywq0ELXzHIYLhcCBpinxdPVlgNpMcWOENWTDUrqWt+lhBJ7zrfAhgEHJFdGTAmA3Sj/ITr
sodsVCD8u4Y1X3+SLySA3hPKynu2+lzFdKiXuCgSF1ka4nTudeICruPRRx8gmdo6S6sQmV+O3Snn
DJw==
-
replace: modifiersname
modifiersname: cn=xxxx,dc=xxxxx,dc=com
-
replace: modifytimestamp
modifytimestamp: 20120913025738Z
-
I need to mask the xxxPasswordData whenever it apperas with values as xxxPasswordData:############==
Here is Props.conf
[default]
sourcetype = auditlog
[auditlog]
TRANSFORMS-anonymize = xxxpassworddata, userpassword
Transforms.conf
[xxxpassworddata]
DEST_KEY = _raw
REGEX = (m?)xxxPasswordData\:\s([^\==]+).*)
FORMAT = xxxPasswordData:################==
After all above configurations. splunk just showing data in normal way with out masking .
Try this:
REGEX =(?msi)^(.*?)xxxPasswordData:\s(.+?)(replace.*)
FORMAT = $1xxxPasswordData:################==\n$3
Hope this helps,
d.
Try this:
REGEX =(?msi)^(.*?)xxxPasswordData:\s(.+?)(replace.*)
FORMAT = $1xxxPasswordData:################==\n$3
Hope this helps,
d.
Kristian Thanks for responding!!
It will be a puzzle always to accomplish even a simple implementation task in splunk.
I have checked all your points
1)sourcetype is correct to what I mentioned in props.conf.
2) All Lines come exactly same as I copied in my previous post
3)Always testing with newly indexed data
4)slightly modified the REXEX, FORMAT remained unchanged.
REGEX =(?m)xxxPasswordData:\s(\S+)
FORMAT = xxxPasswordData:##########==
Result is, whole event is gone and replaced with just the line xxxPasswordData:################==
I think it actually masking the whole event instead of xxxPasswordData value line.
My desired output is
time: 20120912225738
dn: uid=xxxxxx,,dc=xxxx,dc=com
changetype: modify
replace: xxxPasswordData
xxxPasswordData: ############==
replace: modifiersname
replace: modifytimestamp
I believe that there may be 3 things here (in no particular order);
auditlog
at all. Therefore the TRANSFORMS-anonymize does not get applied. Verify that the events have the correct sourcetype.([^\==])
. Is that part of the log really multiline, or just linewrapped in your post? (\S+)
could work instead, i.e. all non-whitespace characters. That would capture everything up to (and including) the ending ==Hope this helps,
Kristian
Also, this change only affects new data. Previously indexed data will not be changed by this.