Many customers use Sumo Logic to help with compliance requirements such as PCI. PCI requires that no un-hashed or un-encrypted credit card numbers be written to the server logs or web logs. In order to help meet these requirements, and detect when credit card numbers may be written to the logs, you can mask credit card numbers from their log files before sending them to Sumo Logic.
Sumo Logic allows for masking credit card numbers from log messages using a regular expression in a masking filters. Once masked with a known string, you can then perform a search for that string within your logs to detect if credit card numbers may be leaking into your log files.
Note: Any masking expression should be tested and verified with a sample source file before applying to your production logs.
The following regular expression can be used within a masking filter to mask American Express, Visa (16 digit only), Master Card and Discover credit card numbers:
((?:(?:4\d{3})|(?:5[1-5]\d{2})|6(?:011|5[0-9]{2}))(?:-?|\040?)(?:\d{4}(?:-?|\040?)){3}|(?:3[4,7]\d{2})(?:-?|\040?)\d{6}(?:-?|\040?)\d{5})
This regular expression will cover instances where the number includes dashes, spaces or is a solid string of numbers.
Samples include:
- American Express: 3711-078176-01234 | 371107817601234 | 3711 078176 01234
- Visa: 4123-5123-6123-7123 | 4123512361237123 | 4123 5123 6123 7123
- Master Card: 5123-4123-6123-7123 | 5123412361237123 | 5123 4123 6123 7123
- Discover: 6011-0009-9013-9424 | 6500000000000002 | 6011 0009 9013 9424
You can also use the Luhn operator, which uses Luhn’s algorithm to check message logs for strings of numbers that may be credit card numbers, and then validates them. It takes a string as an input, strips out all characters that are not numerals, and checks if the resulting string is a valid credit card number, returning true or false accordingly. For details, see Luhn Operator in Help.
Comments
3 comments
Working with one of your SE's we came up with a way to run a search for existing credit card data in logs. Sharing in hopes of helping someone else down the road.
| parse regex "^0-9a-zA-Z._;?[^0-9a-zA-Z._;?]"
Is there a way to apply this to *ALL* sources? or at least a "source category"?
Unfortunately there is no simple option to add a filter to all Sources via the UI. Best way to perform this update would be to use the Collector Management API to script the addition of the filters to all your Collectors/Sources.
Please sign in to leave a comment.