HI ,
i want to masking the cookie value in the the log file i just write the regx but its not displaying the data before the masking vale.
2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0
; path=/; maxAge=-1; domain=null}
2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTNjNTY3MTAtYzg1Yy00ZjY3LWJmZjYtM2EyYzM0Njk2MjFjIiwiYWNjb3VudElEIjoiQU41OTM3OTgtNTMzNi0wNTAyLTM3MTEtSkkwMTIwMTZLSTk4Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk3OTU1MDZ9.XaL4OaNWXT1p_ADnPYLFHN1Jl_fLlHEmbG9Q25YaMF8iRJMPYJuWF-2dxZ9oMJUyZiPbEdQzkdRcGvWvE0xl5faM-LKB2g-r_6bTt1ArLaLTt3uzXZ0GX5V6OlQyvHlUZPFlvKQpkC_3Sb_Gg9p4C4vee-oPHNpMm721ba_cUM5MC7VHcmepQQi3zP0zYh2U3kjTa8D88pAW1mmJF1INvhZ_T3tJMMqEG5YnxUfE75ETJY9brS7KF3VAC6GyEhpbw2QSJBvkj6FmnyGM7O7xn84LGXUgYgZiHMuNXQb0so6-Zpy9Ax88bDi2QMo59mj6nGM4zuyq6IqrBGJonDJ_5g
; path=/; maxAge=-1; domain=}
code:
| rex mode=sed "s/[^{]+{(\w+)=([^};]*)/=1XXXXXX/g"
Try this
| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0
; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"
| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0
; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"
Try this
| makeresults | eval test="2017-07-11 11:51:46,740 tid:hhReD803VBtTqw2uFsQVhPI35r0 DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF=hashedValue:hhReD803VBtTqw2uFsQVhPI35r0
; path=/; maxAge=-1; domain=null}" | table test | rex field=test mode=sed "s/cookies:\s(\S+.*)/cookies: =1XXXXXX/g"
Hi ,
here i just want to mask only the Cookie session values oly not other string , even i need to tesxt "adding Cookie{PF_JWT=" and the end of the line laso "path=/; maxAge=-1; domain=}"
2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA
; path=/; maxAge=-1; domain=}
only bold code should mask
Try this,
| makeresults | eval test="2017-07-12 09:47:57,316 tid:mq2JlWyVI8JiL5AYxJRn28ZFLNQ DEBUG [org.sourceid.servlet.HttpServletRespProxy] flush cookies: adding Cookie{PF_JWT=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIifQ.eyJzY29wZSI6WyJlZGl0Il0sImNsaWVudF9pZCI6IkNsaWVudFBpbmciLCJHVUlEIjoiMTBiMDRjNGYtZWUyOC00M2JjLWE3YWItNjc1YjUxZWRlZWFhIiwiYWNjb3VudElEIjoiS1o4MzU4ODktODkzMi0xNTA0LTMwMTEtRkk1MTIwMTRGTjg5Iiwibm9kZUlkeCI6IjEiLCJleHAiOjE0OTk4NzQ0Nzd9.NmeJEY9BLpXyBZhRblUETWeh_7pAczHOTHKJaS1r3DMy0UL0HNe-EVMm40t1Hh27iSoWup6WqY_0XXapLQkglFUpUaLW_gygoieK_lB09iKiMjCUZDVxoIoFHuqGRMErArxNvyR2PPETrX4p7a_7Q0U5CYHMIYbiLSzBIuhpabBsgaW1u3lJlA-Ry08oX_BdQ32XRRRznqi1hImjZfCQ5Ok84t4ygwatq5lT24zQoEjHCVh37Mr2G00WfL_0i6T9sNsROyk5ZoprScE4VLIa8LPlGeTspUAoQ1-LFwiM4BNX7Q58mW_a0B3bhWkzJUPeJUhd8bvzLLDqzxfu9nsZRA
; path=/; maxAge=-1; domain=}" |rex field=test mode=sed "s/Cookie{PF_JWT=`(\S+)/Cookie{PF_JWT=xxxxxx
;/g"
I'm not sure the question your asking.. You want to mask the data but the data is not present in the logs?
Your sed
method is only masking data at search time. If another user runs a search then the cookie data will be available. If you want to mask the data at index time (i.e. the data will be masked if anyone searches for it), you should do the following
props.conf
[sourcetype]
TRANSFORMS-1card = cookie_anon
transforms.conf
[cookie_anon]
REGEX = [^{]+{(\w+)=([^};]*)
DEST_KEY = _raw
FORMAT = 1XXXXXX
Make sure to restart splunkd after making these changes