Getting Data In
Highlighted

How to mask passwords from splunk logs?

New Member
time: 20180227120538
... 1 line omitted ...
changetype: modify
replace: userPassword
userPassword: {1234}

Currently, I am trying under props.conf but it doesn't seem to work.

SEDCMD-masking = s/\suserPassword:\s\S+/\suserPassword:\s/################################################/
0 Karma
Highlighted

Re: How to mask passwords from splunk logs?

SplunkTrust
SplunkTrust

You can try a combination of props.conf and transforms.conf: https://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Anonymizedata

props.conf

[<spec>]
TRANSFORMS-mask = password-masker

transforms.conf

[password-masker]
REGEX = (?m)^(.*)userPassword:\s(\S+)(.*)$
FORMAT = $1userPassword: ################################################$3
DEST_KEY = _raw
Highlighted

Re: How to mask passwords from splunk logs?

SplunkTrust
SplunkTrust

The SEDCMD is also an option which is what you are attempting. It looks like your regex may be missing for "/g" flag for replacing matches.

0 Karma
Highlighted

Re: How to mask passwords from splunk logs?

SplunkTrust
SplunkTrust

SEDCMD-masking = s/suserPassword:\s\S+/suserPassword:\s/################################################\1/g

You may also want to reduce the number of "#" if that isn't of importance. You don't want to necessarily make your data size larger.

0 Karma
Highlighted

Re: How to mask passwords from splunk logs?

New Member

I tried the above transform and props config and it is modifying the whole event and just showing

userPassword: ################################################

0 Karma
Highlighted

Re: How to mask passwords from splunk logs?

SplunkTrust
SplunkTrust

Is this your full event you are trying to modify?

time: 20180227120538
... 1 line omitted ...
changetype: modify
replace: userPassword
userPassword: {1234}

It's likely having issues with the multiline format. Try the regex (?s)(.*)userPassword:\s(\S+)(.*)$

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.