Mask Rule regular expressions

I've been working to try to redact a log statement that can show some sensitive information. A typical query from this logger looks like

jdbc.sqltiming.373 [ab8c71b34beb1443 748e59b77dd6190e] - - SELECT * FROM dead_letter WHERE status='redeliverable' {executed in 351 msec}

I am trying to use a local collector file to configure a mask rule for this. Here is my rule:

{
  "filterType": "Mask",
  "name": "SQL Timing",
  "regexp": "(jdbc.sqltiming.*)",
  "mask": "XXX"
}

I have tried a handful of other regexes and none have worked.

Other attempts:

(jdbc\.sqltiming.*)

I've tried double escaping the literal '.' character:

(jdbc\\.sqltiming.*)

or even triple escaping it to no effect.

Ultimately I wanted to do a more complicated regex:

jdbc\.sqltiming\.373\s\[[a-z0-9]{16}\s[a-z0-9]{16}\]\s-\s*-\s*([^{]*)

So that the trace and span IDs and execution times would be preserved.

None of these mask rules has resulted in any data being masked. What am I doing wrong?

Shobhit Garg

February 16, 2021 07:13

Hi Nathan,

Assuming you want to mask the SQL query then your regex is correct, I tested it.

The masked data ingested in Sumologic is like below, here I masked the matching string with "testmm"

jdbc.sqltiming.373 [ab8c71b34beb1443 748e59b77dd6190e] - - testmm{executed in 351 msec}

jdbc.sqltiming.373 [ab8c71b34beb1443 748e59b77dd6190e] - - testmm{executed in 351 msec}

Regards

Nathan Norman

February 16, 2021 15:30

Thank you Shobhit Garg for your response. I was able to get this working.

It turns out I had a syntax problem with a different mask rule which was preventing the new mask rule from being applied. It can be very tricky to spot the problems in the logs and when a configuration fails it seems to default to the last successful configuration, so it can be hard to notice.

Mask Rule regular expressions

Comments

Didn't find what you were looking for?