I'm wondering if it's possible to mask/scrub the Splunk access logs. If so, how?
It's for a security requirement. We have a search page that does a one-way hash of an input value and searches for the hash, but we don't want any written record of the input value. This value would appear in the Splunk access logs for a given request.
Edit:
I would like to do this for the Splunk access logs on the filesystem.
It is likely not possible to mask these directly in the Splunk access logs before they are written to flat files on disk. It may be possible with some deep hacking into Splunkweb and/or new framework (written in python) - but if it is showing up in the splunkd_access.log, then that's compiled C++ code that you cannot even change.
It is likely not possible to mask these directly in the Splunk access logs before they are written to flat files on disk. It may be possible with some deep hacking into Splunkweb and/or new framework (written in python) - but if it is showing up in the splunkd_access.log, then that's compiled C++ code that you cannot even change.
Not the answer I was hoping for, but an effective answer. Thanks
Yes, yes you can. You will need to make a transforms for the splunkd_access logs. Ref: http://docs.splunk.com/Documentation/Splunk/5.0.5/admin/Transformsconf
props.conf
[splunkd_access]
TRANSFORMS-splunkdhash = splunkd-masker
transforms.conf
[splunkd-masker]
REGEX = (?m)^(.*)fieldofhash=YOUR_REGEX_FOR_HASH(.*)$
FORMAT = $1=anonyhash$2
DEST_KEY = _raw
Then no. Splunkd writes those out. You could cron a script to replace in the file, but then Splunk re-indexes it.
Sorry, I wasn't clear. I mean to mask Splunk's access logs on the filesystem itself.