How to mask passwords from splunk logs?

ssyed2009 · ‎02-27-2018

time: 20180227120538
... 1 line omitted ...
changetype: modify
replace: userPassword
userPassword: {1234}

Currently, I am trying under props.conf but it doesn't seem to work.

SEDCMD-masking = s/\suserPassword:\s\S+/\suserPassword:\s/################################################/

mdsnmss · ‎02-27-2018

You can try a combination of props.conf and transforms.conf: https://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Anonymizedata

props.conf

[<spec>]
TRANSFORMS-mask = password-masker

transforms.conf

[password-masker]
REGEX = (?m)^(.*)userPassword:\s(\S+)(.*)$
FORMAT = $1userPassword: ################################################$3
DEST_KEY = _raw

ssyed2009 · ‎02-28-2018

I tried the above transform and props config and it is modifying the whole event and just showing

userPassword: ################################################

mdsnmss · ‎02-28-2018

Is this your full event you are trying to modify?

time: 20180227120538
... 1 line omitted ...
changetype: modify
replace: userPassword
userPassword: {1234}

It's likely having issues with the multiline format. Try the regex (?s)(.*)userPassword:\s(\S+)(.*)$

mdsnmss · ‎02-27-2018

The SEDCMD is also an option which is what you are attempting. It looks like your regex may be missing for "/g" flag for replacing matches.

mdsnmss · ‎02-27-2018

SEDCMD-masking = s/suserPassword:\s\S+/suserPassword:\s/################################################\1/g

You may also want to reduce the number of "#" if that isn't of importance. You don't want to necessarily make your data size larger.

How to mask passwords from splunk logs?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...