Getting Data In

Anonymize the sensitive data no gaurantee in splunk?

splunkatl
Path Finder

I was failed to make the data anonymized in splunk .Passwords showing up in results even configured props and transforms.conf as meniotned in following doc.

http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Anonymizedatausingconfigurationfiles#Replace_...

Here is my example log lines

time: 20120912225738
dn: uid=xxxxxx,,dc=xxxx,dc=com
changetype: modify
replace: xxxPasswordData
xxxPasswordData: dLgizscxVCzeLVTO7kuVzmsjP973vDMMmu+fE6FcLiTX+fKuCcBDAPAQjvi
 fu3InFywq0ELXzHIYLhcCBpinxdPVlgNpMcWOENWTDUrqWt+lhBJ7zrfAhgEHJFdGTAmA3Sj/ITr
 sodsVCD8u4Y1X3+SLySA3hPKynu2+lzFdKiXuCgSF1ka4nTudeICruPRRx8gmdo6S6sQmV+O3Snn
 DJw==
-
replace: modifiersname
modifiersname: cn=xxxx,dc=xxxxx,dc=com
-
replace: modifytimestamp
modifytimestamp: 20120913025738Z
-

I need to mask the xxxPasswordData whenever it apperas with values as xxxPasswordData:############==

Here is Props.conf

[default]
sourcetype = auditlog

[auditlog]
TRANSFORMS-anonymize = xxxpassworddata, userpassword

Transforms.conf

[xxxpassworddata]
DEST_KEY = _raw
REGEX = (m?)xxxPasswordData\:\s([^\==]+).*)
FORMAT = xxxPasswordData:################==

After all above configurations. splunk just showing data in normal way with out masking .

Tags (2)
0 Karma
1 Solution

_d_
Splunk Employee
Splunk Employee

Try this:

REGEX =(?msi)^(.*?)xxxPasswordData:\s(.+?)(replace.*)
FORMAT = $1xxxPasswordData:################==\n$3

Hope this helps,

d.

View solution in original post

0 Karma

_d_
Splunk Employee
Splunk Employee

Try this:

REGEX =(?msi)^(.*?)xxxPasswordData:\s(.+?)(replace.*)
FORMAT = $1xxxPasswordData:################==\n$3

Hope this helps,

d.

0 Karma

splunkatl
Path Finder

Kristian Thanks for responding!!
It will be a puzzle always to accomplish even a simple implementation task in splunk.
I have checked all your points
1)sourcetype is correct to what I mentioned in props.conf.
2) All Lines come exactly same as I copied in my previous post
3)Always testing with newly indexed data
4)slightly modified the REXEX, FORMAT remained unchanged.
REGEX =(?m)xxxPasswordData:\s(\S+)
FORMAT = xxxPasswordData:##########==
Result is, whole event is gone and replaced with just the line xxxPasswordData:################==
I think it actually masking the whole event instead of xxxPasswordData value line.

My desired output is
time: 20120912225738
dn: uid=xxxxxx,,dc=xxxx,dc=com
changetype: modify
replace: xxxPasswordData
xxxPasswordData: ############==
replace: modifiersname

modifiersname: cn=xxxx,dc=xxxxx,dc=com

replace: modifytimestamp

modifytimestamp: 20120913025738Z

0 Karma

kristian_kolb
Ultra Champion

I believe that there may be 3 things here (in no particular order);

  1. your events are not being classified as auditlog at all. Therefore the TRANSFORMS-anonymize does not get applied. Verify that the events have the correct sourcetype.
  2. Your regex capturing is wrong. Specifically the ([^\==]). Is that part of the log really multiline, or just linewrapped in your post? (\S+) could work instead, i.e. all non-whitespace characters. That would capture everything up to (and including) the ending ==
  3. There seems to be a closing parentheses at the end of the regex, which may cause it to fail.

Hope this helps,

Kristian

dwaddle
SplunkTrust
SplunkTrust

Also, this change only affects new data. Previously indexed data will not be changed by this.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...