Skip to main content
Sumo Logic

Mask Rules

A mask rule is a type of processing rule that hides irrelevant or sensitive information by filtering log lines before ingestion. When you create a mask rule, whatever expression you choose to mask will be replaced with a mask string before it is sent to Sumo Logic. You can select the mask character, or use the default, "#." 

For example, to mask all users' email addresses, you could use the following:

Log line:

2012-05-16 09:43:39,607 -0700 DEBUG [hostId=prod-cass-raw-8]
[module=RAW] [logger=scala.raw.InboundRawProtocolHandler] [] [remote_ip=]
[web_session=19zefhqy...] [session=80F1BD83AEBDF4FB] [customer=0000000000000005] [call=InboundRawProtocol.getMessages]

Resulting masked log line:

I2012-05-16 09:43:39,607 -0700 DEBUG [hostId=prod-cass-raw-8]
[module=RAW] [logger=scala.raw.InboundRawProtocolHandler] [auth=User:MASKED_USER_EMAIL] [remote_ip=]
[web_session=19zefhqy...] [session=80F1BD83AEBDF4FB] [customer=0000000000000005] [call=InboundRawProtocol.getMessages]

Notes about Mask Rules

  • Expressions that you want masked must be expressed as a capture group, which requires the regex to be enclosed in "()"
    Example: For this log message,

    "auth":"Basic ksoe9wudkej2lfj*jshd6sl.cmei=", 
    "cookie":"$Version=0; JSESSIONID=6C1BR5DAB897346B70FD2CA7SD4639.localhost_bc; $Path=/" 

    You would use the following as a mask expression to mask the auth parameter's token:

  • Don't use the following expression, as it unnecessarily matches on more of the log than needed: (?s).*auth"\s*:\s*"Basic\s*([^"]+)".*(?s)

  • You can use an anchor to detect specific values. For example, if in your logs all user emails can be identified in logs as User:(] you could use User:(.*)] so that  User:  is the starting anchor and ] is the ending anchor. The capturing group (.*) matches anything between these anchors and will mask it.
  • You can specify multiple match groups. Note that if multiple match groups are specified in one filter, each value will be masked the same way. So if you create one filter for users' email addresses and IP addresses both will be replaced with the same mask string.
    Mask filter
  • Each match group matches and masks all occurrences that exist in each log. 
  • If you'd like to use a different mask for each value, you'll need to create a separate mask rule for each value. For example, if you'd like to mask IP addresses with a string that's different from the user email string, you'd create another filter with the expression (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\)]and you could use USER_ADDRESS as the mask string.
  • Make sure you don't specify a regular expression that has a capturing group that matches a full log line. Doing so will result in the entire log line being masked.
  • If you need to match on multiple lines add single line modifiers (?s) to the beginning and end of the expression to simplify matching your string, regardless of where it occurs in the message. For example: