We are trying to mask some data from winhostmon using SEDCMD.
The sample data sourcetype=WinHostMon source=process :
Type=Process
Name="wfcrun32.exe"
ProcessId=1
CommandLine="C:\PROGRAM FILES (X86)\Test\test.EXE" /h0 "C:\Program Files (x86)\Test2\test2.test" /username:"Test" /domain:AD /password:"test"
StartTime="20170516135737.278912+120"
Host="test-test2-test3"
Path="C:\PROGRAM FILES (X86)\Test\test.EXE"
Props:
[WinHostMon]
SEDCMD-anonymize=s/\/password.*$/\/password:XXXXX/g
The issue is that it is not masking the data, i have tried sourcetype,source and host on the indexer but still its not masking.
If i upload a test file with data using the add data option i am able to mask the data using the SEDCMD, same goes for a file with a static sourcetype.
My guess is that the source/sourcetype is not correct because of the way Splunk identifies the data at indexing/parsing.
Does anyone have an idea how i can mask the data at indexing time?
The data is being send from a universal forwarder to our indexers so it is not passing through a heavy forwarder.
Your logic should work correctly.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Anonymizedata
Two things to double check
1. Have you restarted your instance and pumped new data? as it will work from that point onwards and NOT on already indexed data
2. Is the event above multiline or single line? (just to ensure if the .*$ reaches the end of line at all)
3. Can you please put a EVAL statement under the stanza of props.conf. (eg EVAL-mykey="somevalue") This will ensure if sourcetype is correct and stanza name is valid
Your logic should work correctly.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Anonymizedata
Two things to double check
1. Have you restarted your instance and pumped new data? as it will work from that point onwards and NOT on already indexed data
2. Is the event above multiline or single line? (just to ensure if the .*$ reaches the end of line at all)
3. Can you please put a EVAL statement under the stanza of props.conf. (eg EVAL-mykey="somevalue") This will ensure if sourcetype is correct and stanza name is valid
To answer your questions:
1. We have restarted after each change and waited for new data to come in
2. It is a multiline event, we tested the command via CLI and that worked but it might not work in Splunk.
3. We are running splunk 7.0.3 i though a eval only worked from 7.1 or 7.2 and up? But i like the idea so i will try to find a way to add something to see if the sourcetype is correct.
Thank you for you comment!
After changing the SEDCMD to the following it works, thank you for the multiline tip!
s/(?m)\/password.*$/\/password:XXXXX/g