Mask Rule regular expressions
I've been working to try to redact a log statement that can show some sensitive information. A typical query from this logger looks like
jdbc.sqltiming.373 [ab8c71b34beb1443 748e59b77dd6190e] - - SELECT * FROM dead_letter WHERE status='redeliverable' {executed in 351 msec}
I am trying to use a local collector file to configure a mask rule for this. Here is my rule:
{
"filterType": "Mask",
"name": "SQL Timing",
"regexp": "(jdbc.sqltiming.*)",
"mask": "XXX"
}
I have tried a handful of other regexes and none have worked.
Other attempts:
(jdbc\.sqltiming.*)
I've tried double escaping the literal '.' character:
(jdbc\\.sqltiming.*)
or even triple escaping it to no effect.
Ultimately I wanted to do a more complicated regex:
jdbc\.sqltiming\.373\s\[[a-z0-9]{16}\s[a-z0-9]{16}\]\s-\s*-\s*([^{]*)
So that the trace and span IDs and execution times would be preserved.
None of these mask rules has resulted in any data being masked. What am I doing wrong?
-
Hi Nathan,
Assuming you want to mask the SQL query then your regex is correct, I tested it.
jdbc\.sqltiming\.373\s\[[a-z0-9]{16}\s[a-z0-9]{16}\]\s-\s*-\s*([^{]*)The masked data ingested in Sumologic is like below, here I masked the matching string with "testmm"
jdbc.sqltiming.373 [ab8c71b34beb1443 748e59b77dd6190e] - - testmm{executed in 351 msec}Regards
-
Thank you Shobhit Garg for your response. I was able to get this working.
It turns out I had a syntax problem with a different mask rule which was preventing the new mask rule from being applied. It can be very tricky to spot the problems in the logs and when a configuration fails it seems to default to the last successful configuration, so it can be hard to notice.
Please sign in to leave a comment.
Comments
2 comments