How to obfuscate a username but keep a unique valu...

jpass · ‎04-25-2019

I am using HTTP Event Collector & Splunk logging for java (logback). The events contain a username (e-mail address) which needs to be obfuscated. I'm looking for suggestions on how to best do this while still allowing me to do stats by username. For example, replace username with some sort of id? My gut tells me the best way would be to ask the app team handle this before logs are generated.

Thank you.

fsolercasanova · ‎04-25-2019

Hello,

This is a large topic with a variety of ways to implement it. There was a .conf presentation detailing a few different ways and to do this. You seem to be looking for psuedononymous obfuscation so look out for those options in the slides: https://conf.splunk.com/files/2017/slides/data-obfuscation-and-field-protection-in-splunk.pdf

edit: Here is the above video for better context:
https://conf.splunk.com/files/2017/recordings/data-obfuscation-and-field-protection-in-splunk.mp4

Splunk provides their own documentation at: https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/Anonymizedata

There, they detail one of the easiest ways using a props and transforms regex :

To mask sensitive data, you need the following items:

Data that you want to anonymize
An understanding of how regular expressions work.
An inputs.conf file, with a configuration that tells Splunk Enterprise where this data is located
A transforms.conf file that does the data masking
A props.conf file that references the transforms.conf file for the data that you want to mask

Finally, If you only want to obfuscate the data at search time you can implement a data scrub inline with your search

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Scrub