Getting Data In

Mask sensitive data

justodaniel
Path Finder

Hi everyone! we are trying to anonymize sensitive information using SEDCMD on props.conf file in the local folder but we haven't gotten success due to a weird behavior, for exemple when we have a simple log
we can easily mask it but a complex one we can not

SEDCMD = s/Senha:[0-9a-zA-Z]{0,32}/Senha:****/g

Bellow follows the log that we consider complex:

{"Bola":"2019-06-17T22:08:26.400-03:00","pato":"Arquitetura","application":"PineOnline","tatu":"ResetarSenha","result":"false", 
"reqId":"6276A957-0E26-439E-8418-EB7BBBA618A8","version":"","platform":"","httpStatus":"200","reasonCode":"200","url":"https://888282121:999/Path1/Path2", 
"metodo":"PUT","tempo":"37","userAgent":"","request": {"ip":"","host":"192.168.0.103","client":"ClientIp:888.88.0.888","application-key":"","authorization":"", 
"customer-hash":"PZyKLE+0ONEfqlZyLgFe7owpccZl3iCdbYqSHiqGY_78y5PSOu+5MKh_MXk84EWKh0Cl5LHXzz+nUEEMPQCOirT5Hu01PvFAerq4ncoYszS8ZIYRpvg8P+zJMfWhT0KrcNXgDPliDXLFuK_gSIydc4QCDiY4MKXRNWn2ygpiiaEletMqkRh2wFALq7Bc5E0iMItlB6jO4mPduR95u+FCPvGn5ynrdtCzjRMciRH1IaL1vtRQijOFUsurwy_L_fGP0g5BUUohPYbBKFTjkFFTiAR11s9jQD2wZ3_pUjmIRgePfkdH021k9RsQrQQ+dr0c23EyEeLd9P+HURJg==",
"payload": [{"CPF":"7878787878",Senha:58586762}]},"response": {"host":"192.168.0.20","payload": []}} 

In our test we realized that when we use a very large payload the transformation does not occur, when we use smaller payload everything seems to work.

Reference:

https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata#Anonymize_data_through_a_sed_...

0 Karma

FrankVl
Ultra Champion

Strange. When I upload that specific sample event into splunk and set that exact SEDCMD, it works just fine.

Can you perhaps share some more info on your setup and how and where you have set this configuration? Is it just for a single sourcetype, or are you using this for several sourcetypes and is one of those working and another not?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...