We have application writing logs as Windows Events . There are 3 fields that we wanted to mask ..
Accept-Language=en-US,en;q=0.9
Authorization=Auth xcvftYUIOLKN2luc3QiOiJiZTExMTQwODkzIiwiZWxsaV91aWQiOiJFbmNvbXBhc3NcXGJlMTExNDA4OTNcXDU5NTg0NjI4NTQiLCAic2Vzc2lvbiI6ImJlMTExNDA4OTNfMjhiZTI3NTYtZjY3MC00NGVhLTk4MzktMmM2NTRmMzkzZDc4IiwgInNpdGVfaWQiOiIzNjUxMzEzMzcxIiwgImluaXRfa2V5IjoiIn0=
Host=enc-ez9.xzapi.com
Referer=https://portal.juniorkiio.com/site-app/?id=1234567
User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
base-URI=/reverseproxy
Enc-Session=cte235467_28be2756-f670-44ea-9839-2c654f393d78
http-method=GET
We want to mask values of Authorization, Referer and Enc-Session. I have tried masking one to see, if it works but haven't seen any success.
Following is my
props.conf
[es_prd_api]
TRANSFORMS-anonymize = authorization-anonymizer
transforms.conf
[authorization-anonymizer]
REGEX = (?m)^(.*)Authorization=(.*)$
FORMAT = $1Authorization=########$2
DEST_KEY = Message
Appreciate help and guidance.
Thanks
↧
