- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- How to mask password in Windows event logs ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to mask the password in the Windows event logs at index time but somehow my config is not working. Kindly advise.
Configuration that I am trying :
1. Changes made in Props
Password extraction
[data]
password = (?m)^(.*)Process Command Line:.*\"\w+\".*\"(?P<password>.*)\"\s+\/active:yes\s+\/passwordchg:yes$
TRANSFORMS-anonymize = password-anonymizer
2. Changes made in Tranforms
[password-anonymizer]
FORMAT = ################
DEST_KEY = _raw
Logs:
Process Information:
New Process ID: xyzabc
New Process Name: C:\Windows\System32\net.exe
Token Elevation Type: abcdabcd
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 12345
Creator Process Name: C:\Program Files\BMC Software\Client Management\Client\bin\mtxproxy.exe
Process Command Line: net user "abcd" "password12345" /active:yes /passwordchg:yes /passwordreq:yes
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Documentation Link: https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Anonymizedata
Any advise would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all for the reply. Here is the complete solution.
According to docs, config should be done on HF but for that the data flow has to be changed. Parsing can't be done on UF, however this can be pushed to the indexers via the Cluster Master similar to field extractions.
Steps:
1. Write the regex to extract the password and use that regex along with the sed command (format /s/<password>/<replacement>/g) to test the masking of the password in the search.
index=main sourcetype=data source="C:\\testdata\\TestDataMasking5.txt"
| rex mode=sed "s/\"\w+\".*\"(.*)\"\s+/##############/g"
| table _raw
2. Create a new app in the master-apps of CM and then put the above regex in props.conf and push the bundle.
[data]
SEDCMD-masking=s/\"\w+\".*\"(.*)\"\s+/##############/g
The success of above solution depends a lot on the regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all for the reply. Here is the complete solution.
According to docs, config should be done on HF but for that the data flow has to be changed. Parsing can't be done on UF, however this can be pushed to the indexers via the Cluster Master similar to field extractions.
Steps:
1. Write the regex to extract the password and use that regex along with the sed command (format /s/<password>/<replacement>/g) to test the masking of the password in the search.
index=main sourcetype=data source="C:\\testdata\\TestDataMasking5.txt"
| rex mode=sed "s/\"\w+\".*\"(.*)\"\s+/##############/g"
| table _raw
2. Create a new app in the master-apps of CM and then put the above regex in props.conf and push the bundle.
[data]
SEDCMD-masking=s/\"\w+\".*\"(.*)\"\s+/##############/g
The success of above solution depends a lot on the regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it has to be done on a HF -
"Universal forwarders can only parse structured data"
https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/Anonymizedata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for mentioning that, Missed paying attention to HF note in docs.
I am trying it through UF. For Configuring it on HF, I will have to change the flow of windows logs, which won't be also easy.
Is there a way it can be done on UF?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dont think so. Try putting it on the indexer/indexers. Should work first place data is cooked..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Had already put there, was waiting for off hours for pushing it to the cluster. Moving it to indexers removed the whole line, so still have to work what kind of regex to put there.
Updated logs after the changes.
Process Information:
New Process ID: abcd
New Process Name: C:\Windows\System32\net1.exe
Token Elevation Type: %%1234
Mandatory Label: Mandatory Label\System Mandatory Level Creator
Process ID: abcd
Creator Process Name: C:\Windows\System32\net.exe
############## /passwordreq:yes
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this being done on a UF or HF?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The transform needs a REGEX attribute that tells Splunk where to find the field to anonymize.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Isn't it already there. Could you provide more details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not in the quoted transforms.conf stanza
2. Changes made in Tranforms
[password-anonymizer]
FORMAT = ################
DEST_KEY = _rawIt usually looks something like this:
2. Changes made in Tranforms
[password-anonymizer]
REGEX = %%%%%%%%%%%%
FORMAT = ################
DEST_KEY = _rawHave you tried using SEDCMD in props.conf? That's usually the easier way to mask data.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had initially put REGEX in transform but it didn't work. Giving SEDCMD a try now.
Updated props
splunk $ cat props.conf
[data]
SEDCMD-Anon = s/(?m)^(.*)Process Command Line:.*\"\w+\".*\"(?P.*)\"\s+\/active:yes\s+\/passwordchg:yes/##############/g
#password = (?m)^(.*)Process Command Line:.*\"\w+\".*\"(?P<password>.*)\"\s+\/active:yes\s+\/passwordchg:yes$
#TRANSFORMS-anonymize = password-anonymizer
#TRANSFORMS-anonymize = pass-anonymizer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This didn't work.
splunk $ cat props.conf
[data]
SEDCMD-Anon = s/(?m)^(.*)Process Command Line:.*\"\w+\".*\"(.*)\"\s+\/active:yes\s+\/passwordchg:yes/##############/g
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
