- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What edits do I need to make in my configurations to mask passwords while ingesting data to Splunk?
log file : { [-]
hostname: kjasfh56kh2!@#
level: 20
msg: Initializing TextToSpeech with config { username: 'abcdefghi-asjfakfn',
password: 'abcdefghijkl',
version: 'v1',
headers:
props.conf:
[app_json]
TRANSFORMS-anonymize = password-anonymizer
transforms.conf:
[password-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:**********,$2
DEST_KEY = _raw
Can any one help on this stanzas ..?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cleelakrishna,
If one of the two answers below resolved your issue, could you please mark it Accepted?
If it did not, please post back with more information or what's not working right so we can help finish this up!
Happy Splunking,
Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this in props.conf
:
[app_json]
SEDCMD-password-anonymizer = s/password:'[^']+'/password:**********/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if we are using SEDCMD no need of transforms right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are calling out a second capture group, which you need to define:
[password-anonymizer]
REGEX = (?m)^(.*)Password:[^,],(.*)
FORMAT = $1Password:**********,$2
DEST_KEY = _raw
And I'm not sure, but if you have a multiline event, in order to get all the lines prior to the one you want, you may want to use:
[password-anonymizer]
REGEX = (?m)^([\s\S]*)Password:[^,],([\s\S]*)
FORMAT = $1Password:**********,$2
DEST_KEY = _raw
I haven't tried this myself, but that is what seems to be needed.