Many customers use Sumo Logic to help with compliance requirements such as PCI. PCI requires that no un-hashed or un-encrypted credit card numbers be written to the server logs or web logs. In order to help meet these requirements, and detect when credit card numbers may be written to the logs, you can mask credit card numbers from their log files before sending them to Sumo Logic.
Sumo Logic allows for masking credit card numbers from log messages using a regular expression in a masking filter. Once masked with a known string, you can then perform a search for that string within your logs to detect if credit card numbers may be leaking into your log files.
Note: Any masking expression should be tested and verified with a sample source file before applying to your production logs.
The following regular expression may be used within a masking filter to mask American Express, Visa (16 digit only), Master Card and Discover credit card numbers:
((?:(?:4\d{3})|(?:5[1-5]\d{2})|6(?:011|5[0-9]{2}))(?:-?|\040?)(?:\d{4}(?:-?|\040?)){3}|(?:3[4,7]\d{2})(?:-?|\040?)\d{6}(?:-?|\040?)\d{5})
This regular expression will cover instances where the number includes dashes, spaces or is a solid string of numbers.
Samples include:
- American Express: 3711-078176-01234 | 371107817601234 | 3711 078176 01234
- Visa: 4123-5123-6123-7123 | 4123512361237123 | 4123 5123 6123 7123
- Master Card: 5123-4123-6123-7123 | 5123412361237123 | 5123 4123 6123 7123
- Discover: 6011-0009-9013-9424 | 6500000000000002 | 6011 0009 9013 9424
Warning: The above expression may not match all credit card number formats and additional masking expressions may be required. To check your logs for anything appearing to be a credit card number you can also use the Luhn operator. This operator takes a string as an input, strips out all characters that are not numerals, and checks if the resulting string is a valid credit card number, returning true or false accordingly. For more details, please see the Luhn Operator in Help.
Comments
3 comments
Is there a way to apply this to *ALL* sources? or at least a "source category"?
Unfortunately there is no simple option to add a filter to all Sources via the UI. Best way to perform this update would be to use the Collector Management API to script the addition of the filters to all your Collectors/Sources.
Working with one of your SE's we came up with a way to run a search for existing credit card data in logs. Sharing in hopes of helping someone else down the road.
| parse regex "^0-9a-zA-Z._;?[^0-9a-zA-Z._;?]"
Please sign in to leave a comment.