Skip to main content
Sumo Logic

Mask Rules

When you create a mask rule, whatever expression you choose to mask will be replaced with a mask string before it's sent to Sumo Logic (you can select the character or use the default, #). For example, to mask all users' email addresses, you could use the following:

 

Log line:

2012-05-16 09:43:39,607 -0700 DEBUG [hostId=prod-cass-raw-8]
[module=RAW] [logger=scala.raw.InboundRawProtocolHandler] [auth=User:dan@demo.com] [remote_ip=98.248.40.103]
[web_session=19zefhqy...] [session=80F1BD83AEBDF4FB] [customer=0000000000000005] [call=InboundRawProtocol.getMessages]

Resulting masked log line:

I2012-05-16 09:43:39,607 -0700 DEBUG [hostId=prod-cass-raw-8]
[module=RAW] [logger=scala.raw.InboundRawProtocolHandler] [auth=User:MASKED_USER_EMAIL] [remote_ip=98.248.40.103]
[web_session=19zefhqy...] [session=80F1BD83AEBDF4FB] [customer=0000000000000005] [call=InboundRawProtocol.getMessages]

Notes about Mask Rules

  • Expressions that you want masked must be expressed as a capture group, which requires the regex to be enclosed in "()"
    Example: For this log message,

    "reqHdr":▼{ 
    "auth":"Basic ksoe9wudkej2lfj*jshd6sl.cmei=", 
    "cookie":"$Version=0; JSESSIONID=6C1BR5DAB897346B70FD2CA7SD4639.localhost_bc; $Path=/" 
    }}

    You would use the following as a mask expression to mask the auth parameter's token:
     auth"\s*:\s*"Basic\s*([^"]+)" 

  • You should not use the following expression since it is unnecessarily matching on more of the log than it needs : (?s).*auth"\s*:\s*"Basic\s*([^"]+)".*(?s)

  • You can use an anchor to detect specific values. For example, if in your logs all user emails can be identified in logs as User:(user@email.com)] you could use User:(.*)] so that  User:  is the starting anchor and ] is the ending anchor. The capturing group (.*) matches anything between these anchors and will mask it.
  • You can specify multiple match groups. Note that if multiple match groups are specified in one filter, each value will be masked the same way. So if you create one filter for users' email addresses and IP addresses both will be replaced with the same mask string:
  • If you'd like to use a different mask for each value, you'll need to create a separate mask rule for each value. For example, if you'd like to mask IP addresses with a string that's different from the user email string, you'd create another filter with the expression (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\)]and you could use USER_ADDRESS as the mask string.
  • Make sure you don't specify a regular expression that has a capturing group that matches a full log line. Doing so will result in the entire log line being masked.
  • If you need to match on multiple lines add single line modifiers (?s) to the beginning and end of the expression to simplify matching your string, regardless of where it occurs in the message. For example:

(?s).*secur.*(?s)