All Products
Search

This Product

    Simple Log Service:Mask sensitive data

    Document Center

    Simple Log Service:Mask sensitive data

    Last Updated:Jul 29, 2024

    If you use Logtail to collect logs, you can use the processor_desensitize plug-in to replace sensitive data in logs with specified strings or MD5 hash values. This topic describes the parameters of the processor_desensitize plug-in. This topic also provides examples on how to configure the plug-in.

    Important

    • Form configuration: Available when collecting text logs and container stdout and stderr.

    • Editor configuration in JSON: Not available when collecting text logs.

    Entry point

    If you want to use a Logtail plug-in to process logs, you can add a Logtail plug-in configuration when you create or modify a Logtail configuration. For more information, see Entry point.

    Configuration description

    Important

    Logtail V1.3.0 and later support the processor_desensitize plug-in.

    Form configuration

    Set Processor Type to Data Masking. Then, configure other parameters based on the following table.

    • Parameters

      Parameter

      Description

      Original Field

      The name of the log field.

      Data Masking Method

      The method that is used to mask sensitive content. Valid values:

      • String Replacement: replaces sensitive content with a string. You can configure the Replacement String parameter to specify the string.

      • md5: replaces sensitive content with the MD5 hash value that is generated for sensitive content.

      Sensitive Data Content

      The method that is used to identify sensitive content. Valid values:

      • Full Text: identifies all content in the value of the specified log field as sensitive. In this case, all content in the value of the specified log field is replaced.

      • Use Regular Expression: identifies sensitive content by using a regular expression.

      Replacement String

      The string that is used to replace sensitive content.

      If you set the Data Masking Method parameter to String Replacement, you must configure this parameter.

      Regex to Match Sensitive Content Prefix

      The regular expression that is used to match the prefix of sensitive content.

      If you set the Sensitive Data Content parameter to Use Regular Expression, you must configure this parameter.

      Regex to Match Sensitive Content

      The regular expression that is used to match sensitive content.

      If you set the Sensitive Data Content parameter to Use Regular Expression, you must configure this parameter.

    • Configuration example

      Replace all content in the value of a specified field with a string.

      • Raw log

        "password" : "123abcdefg"

      • Logtail plug-in configuration for data processingimage

      • Results

        "password":"********"

    Editor configuration in JSON

    Set type to processor_desensitize. Then, configure other parameters in detail based on the following table.

    • Parameters

      Parameter

      Type

      Required

      Description

      SourceKey

      String

      Yes

      The name of the log field.

      Method

      String

      Yes

      The method that is used to mask sensitive content. Valid values:

      • const: replaces sensitive content with a string. You can configure the ReplaceString parameter to specify the string.

      • md5: replaces sensitive content with the MD5 hash value that is generated for sensitive content.

      Match

      String

      No

      The method that is used to identify sensitive content. Valid values:

      • full: identifies all content in the value of the specified log field as sensitive. In this case, all content in the value of the specified log field is replaced. This is the default value.

      • regex: identifies sensitive content by using a regular expression.

      ReplaceString

      String

      No

      The string that is used to replace sensitive content.

      If you set the Method parameter to const, you must configure this parameter.

      RegexBegin

      String

      No

      The regular expression that is used to match the prefix of sensitive content.

      If you set the Match parameter to regex, you must configure this parameter.

      RegexContent

      String

      No

      The regular expression that is used to match sensitive content.

      If you set the Match parameter to regex, you must configure this parameter.

    • Configuration examples

      • Example 1

        Set the Method parameter to const and the Match parameter to full to replace all content in the value of a specified field with a string.

        • Raw log

          "password" : "123abcdefg"

        • Logtail plug-in configuration for data processing

          {
  "type" : "processor_desensitize",
  "detail" : {
    "SourceKey" : "password",
    "Method" : "const",
    "Match" : "full",
    "ReplaceString": "********"
  }
}

        • Results

          "password":"********"

      • Example 2

        Set the Method parameter to md5 and the Match parameter to regex to identify sensitive content in the value of a specified field by using a regular expression and replace the sensitive content with the MD5 hash value that is generated for the sensitive content.

        • Raw log

          "content" : "[{'account':'1234567890','password':'abc123'}]"

        • Logtail plug-in configuration for data processing

          {
   "type" : "processor_desensitize",
   "detail" : {
      "SourceKey" : "content",
      "Method" : "md5",
      "Match" : "regex",
      "RegexBegin": "'password':'",
      "RegexContent": "[^']*"
   }
}

        • Results

          "content":"[{'account':'1234567890','password':'e99a18c428cb38d5f260853678922e03'}]"