Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data Masking Before Ingestion

anandhalagaras1
Communicator
‎03-20-2024 11:14 PM

Hi Team,

Want to mask two of the fields "password" and "cpassword" from the events which are getting written with the plain text information. So needs to be changed as #####.

Sample event information:

 

[2024-01-31_07:58:28] INFO : REQUEST: User:abc CreateUser POST: name: AB_Test_Max;email: xyz@gmail.com;password: abc12345679;cpassword: abc12345679;role: User;

[2024-01-30_14:05:42] INFO : REQUEST: User:xyz CreateUser POST: name: Math_Lab;email: abc@yahoo.com;password: xyzab54;cpassword: xyzab54;role: Admin;

So kindly help with the props.conf so that i can apply with SEDCMD-mask.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marnall
Builder
‎04-15-2024 02:00 PM

Could you try this SEDCMD in the props.conf file? (Make sure that the stanza is changed to match the sourcetype of the logs)

[your_sourcetype]
SEDCMD-maskpasswords = s/password: ([^;]+);cpassword: ([^;]+);/password: ####;cpassword: ####;/g

 

View solution in original post

Reply
Solved! Jump to solution
Solution

marnall
Builder
‎04-15-2024 02:00 PM

Could you try this SEDCMD in the props.conf file? (Make sure that the stanza is changed to match the sourcetype of the logs)

[your_sourcetype]
SEDCMD-maskpasswords = s/password: ([^;]+);cpassword: ([^;]+);/password: ####;cpassword: ####;/g

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-20-2024 11:25 PM

Hi @anandhalagaras1,please try this:

[your_sourcetype]
SEDCMD = s/password: ([^;]+);cpassword: ([^;]+);/password: (####);cpassword: (####);/gm

that you can test at https://regex101.com/r/ppaFZc/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎04-01-2024 04:11 AM

@gcusello 

We had two requirements for the same sourcetype. One involved line breaks, and the other required password masking during ingestion. As our Search heads are managed by Splunk Support and hosted in the Cloud, we created a custom app and deployed the props.conf in the default directory. After uploading the apps for the cloud vetting process, they were successfully installed. However, I've noticed that the logs are now being separated into individual events, which is acceptable, but the passwords are still visible and haven't been masked according to our requirement. I'm unsure about where exactly I may have missed it.

 

This is the props.conf file for reference. 

[sourcetype]
SHOULD_LINEMERGE = false
SEDCMD = s/password: ([^;]+);cpassword: ([^;]+);/password: (####);cpassword: (####);/gm

 

Sample log for reference: 

[2024-03-01_06:32:08] INFO : REQUEST: User:abc CreateUser POST: name: xyz;email: abc@gmail.com;password: xyz@123;cpassword: xyz@123;role: Administrator;

So kindly help on this requirement.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-02-2024 12:25 AM

Hi @anandhalagaras1,

regex substitution is correct.

Are you sure about the sourcetype?

is there any sourcetype replacement in your data?

are there some other Heavy Forwarders  before the one you used for the masking?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎04-03-2024 04:55 AM

@gcusello ,

This is the exact and correct sourcetype and I have created a custom app and uploaded the App in our Search head. Since our Search head is hosted in Splunk Cloud managed by Support.

So I have uploaded the app in the upload app section and post vetting process completed i have installed the custom app into the Search head.

This is the custom app i have created "abc_app"

Under abc_app I have placed two folders "default" and "metadata"

Under default I have created the app.conf and props.conf

And under metadata I have created the default.metadata 

Refer screenshots for reference.

 

So kindly let me know where i am missing since the lines are getting segregated as separate events whereas password masking is not getting applied to the events. Hence kindly help on the same.

 

 

 

Preview file
117 KB
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-03-2024 05:24 AM

Hi @anandhalagaras1,

what's the sourcetype to apply the masking?

I suppose that sourcetype in the props.conf stanza header it's only for example and that in your installation you have the correct sourcetype to apply the transformation.

ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎04-03-2024 08:10 AM

@gcusello  Indeed, I have applied the correct sourcetype there to ensure that events are appropriately divided. Nonetheless, the masking of passwords is not taking place as intended.

0 Karma
Reply
Solved! Jump to solution

anandhalagaras1
Communicator
‎04-15-2024 03:41 AM

@gcusello ,

Any inputs from your end since still i can see the events are getting ingested with the password information present in it.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...