Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to prevent sensitive key-value pair in IIS cookie data from appearing in Splunk?

chrismullen
Explorer
‎07-29-2014 01:46 PM

Hi,

I'm wondering if there is a way to prevent a sensitive key-value pair that exists in cs_Cookie from appearing in Splunk. I have tried using SEDCMD on the forwarder, and it does change the _raw data, but the indexed value of cs_Cookie still contains the original data. For example:

IIS log

.. cs_Cookie ..

.. foo=bar;hide=me ..

props.conf

SEDCMD-cookie-cleaner = s/hide=\w+/hide=XXXX/g

As expected, this changes the _raw data to:

.. foo=bar;hide=XXXX ..

But, when I expand an event:

cs_Cookie="foo=bar;hide=me"

How is the original value making it to the indexer, and how can I get rid of it?

Thanks!

Reply

strive
Influencer
‎07-29-2014 02:56 PM

You have done using sed script in props.conf. As per Splunk documentation sed scripts act only on _raw field.

try anonymyzing data using regex transform and using the transform in props.conf

For more details, check this

http://docs.splunk.com/Documentation/Splunk/6.1.2/Data/Anonymizedatausingconfigurationfiles

Reply

strive
Influencer
‎07-31-2014 10:59 PM

For the sample log that you have given, the foo=bar is in 11th position. I am taking space as the separator between positions.

For your log sample, please see below.

transforms.conf
[anonymize_IP_Address]
REGEX = (?i)^(?:[^ ]+ ){10}(?:foo=)([^ ]+)
DEST_KEY = _raw
FORMAT = $1###$2

props.conf
[my_sourcetype]
TRANSFORMS-include = anonymize_IP_Address

Since splunk automatically extracts the key value pairs and if the above configuration doesn't work then you add KV_MODE = none to your sourcetype in props.conf. For more information on KV_MODE, see props.conf splunk documentation

0 Karma
Reply

chrismullen
Explorer
‎07-30-2014 03:34 PM

Here is a sample:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2014-07-30 22:25:39 ::1 GET / test16 8080 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko foo=bar - 200 0 0 299 281 0

I have simplified it, but basically I would want:

cs(Cookie)="foo=bar"

to be transformed into

cs(Cookie)="foo=###"

0 Karma
Reply

strive
Influencer
‎07-29-2014 11:46 PM

I had to anonymize a field in my log events.. and i did this and it worked

transforms.conf

[anonymize_IP_Address]
REGEX =
DEST_KEY = _raw
FORMAT = $1####$4

props.conf

[my_sourcetype]
TRANSFORMS-include = anonymize_IP_Address

If you can post your log events, then we can help

0 Karma
Reply

chrismullen
Explorer
‎07-29-2014 04:54 PM

Thanks for you quick reply.

I have already tried to use a transform unsuccessfully.
Following an example I tried

SOURCE_KEY = MetaData:cs_Cookie
DEST_KEY = MetaData:cs_Cookie

but I still get he original values. Is this the right way to anonymize an extracted field?

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...