Splunk Search

regex to mask password in props.conf

caitcait
Explorer

I am need of help to build the regex to mask a password string looking similar to this

Password: 22222222abc222222222892222red22222222222+,

Can someone please assist?

Thank you!

Tags (3)
0 Karma

rdudipala
New Member

It worked only for one group. thanks for help.

0 Karma

rdudipala
New Member

,Guys,

I have same issue, Used above props.conf & transforms.conf

[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw

My log looks like this
{"Username":"rdudipala2","Password":"Newusers1"}

Can someone please assist?

0 Karma

FrankVl
Ultra Champion

That REGEX only has 1 capturing group, while the FORMAT expects 2 capturing groups. That will fail to execute (and probably also throws errors in splunk's internal logs?).

0 Karma

sravankaripe
Communicator

During search time replace the password with ########

https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Replace

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi caitcait,

the password showed in your example is the password to anonymize I think: in a row there is

Password: your_password,

and you want to transform into

Password:##########,

so you have to modify
props.conf

[your_sourcetype]
TRANSFORMS-anonymize = session-anonymizer

transforms.conf

[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw

see https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Anonymizedata

Bye.
Giuseppe

caitcait
Explorer

Hi Giuseppe,

I'm sorry I should have clarified I'm using SEDCMD only in this case.

Thank you!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi caitcait,
ok
try something like this in props.conf

SEDCMD-my_transformation = s/Password:[^,]/Password:\*{8}/g

for more details see at https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Anonymizedata .

Bye.
Giuseppe

0 Karma

rdudipala
New Member

thanks it worked today.

0 Karma

gcusello
SplunkTrust
SplunkTrust

If this solution answers to your question, please accept and/or upvote it.
Bye.
Giuseppe

0 Karma

rdudipala
New Member

hi Cusello,

I used both scenario vise versa but no result

Proprs.conf:-

[ABC.com]

scenario -1
TRANSFORMS-password_mask = session-anonymizer
SEDCMD-password_mask = s/Password:[^,]/Password:*{8}/g

scenario -2
TRANSFORMS-password_mask = ABC.com.com
SEDCMD-password_mask = s/Password:{\w(8)}/Password:##########\1/g

transforms.conf:-
[session-anonymizer]
REGEX = (?m)^(.*)Password:[^,]
FORMAT = $1Password:########,$2
DEST_KEY = _raw

[session-anonymizer]
REGEX = (?m)^(.)Password:\s(\S+)(.)$
FORMAT = $1Password: ############$2
DEST_KEY = _raw

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...