Getting Data In

Is it possible to anonymize/mask the data being sent from AIX servers to the Splunk Enterprise 6.6.1?

New Member

We have installed and configured Splunk Universal forwarder 6.6.1 on AIX server. It is working fine and I am able to see the logs in Splunk Enterprise 6.6.1. However the splunk universal forwarder is not anonymizing/masking the data before forwarding it to the indexer when we use regex/sed. Even tried with masking the data at indexer level but no luck.

0 Karma

Legend

Hi
it's not possible in Splunk anonimize data on Forwarders, data mask is performed at index time on indexers (see https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Anonymizedata )
the only way to mask data on forwarders (but it isn't easy) is to pre-parse logs using a script, I don't suggest to do this!

Anyway to do this follow this example (with example regexes):

on props.conf

[your_sourcetype]
TRANSFORMS-anonymize = session-anonymizer, ticket-anonymizer

on transforms.conf

[session-anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=########$2
DEST_KEY = _raw
[ticket-anonymizer]
REGEX = (?m)^(.*)Ticket=\w+(\w{4}&.*)$
FORMAT = $1Ticket=########$2
DEST_KEY = _raw

Bye.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

Universal forwarders do not mask data, but your indexers should. If it's not working then there's probably a setting that needs to be changed. Please share the appropriate props.conf and transforms.conf stanzas along with a sample event (please scrub proprietary data).

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thanks for your quick reply ric:

Sample Log Event: 99xxxxxx0

props.conf
[host::hostname]
SEDCMD-ssn = s/\d{5}(\d{4})/xxx-xx-\1/g

Nothing was added to transforms.conf

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!