When you use Logtail to collect logs, you can use the processor_desensitize plug-in to replace sensitive data with a specified string or an MD5 hash. This topic describes the parameters of the processor_desensitize plug-in and provides configuration examples.
Form-based configuration: Available for text logs and container standard output.
JSON configuration: Not available for text logs.
Entry point
To process logs using a Logtail plug-in, add the plug-in configuration when you create or modify a Logtail configuration. For more information, see Add a plug-in.
Configuration description
The processor_desensitize plug-in is supported in Logtail 1.3.0 and later.
Form-based configuration
For Processor Type, select Data Masking. The following table describes the parameters.
Parameters
Parameter
Description
Original Field
The name of the log field.
Data Masking Method
The method used to mask sensitive data. Valid values:
String Replacement: Replaces sensitive data with a string. Specify the target string for the Replacement String parameter.
md5: Replaces sensitive data with its MD5 hash.
Sensitive Data Content
The method used to fetch sensitive data. Valid values:
Full Field: Fetches all content. This replaces all content in the value of the target field.
Regular Expression: Fetches sensitive data using a regular expression.
Replacement String
The string used to replace sensitive data.
This parameter is required when you set Data Masking Method to String Replacement.
Sensitive Content Prefix Regex
The regular expression that matches the prefix of the sensitive data.
This parameter is required when you set Sensitive Data Content to Regular Expression.
Sensitive Content Regex
The regular expression that matches the sensitive data.
This parameter is required when you set Sensitive Data Content to Regular Expression.
Configuration example
Replace the entire value of the target field with a string.
Raw log
"password" : "123abcdefg"Logtail plug-in processing configuration
Processing result
"password":"********"
JSON configuration
Set type to processor_desensitize. The following table describes the parameters in detail.
Parameters
Parameter
Type
Required
Description
SourceKey
String
Yes
The name of the log field.
Method
String
Yes
The method used to mask sensitive data. Valid values:
const: Replaces sensitive data with a string. Specify the target string for the ReplaceString parameter.
md5: Replaces sensitive data with its MD5 hash.
Match
String
No
The method used to fetch sensitive data. Valid values:
full (default): Fetches all content. This replaces all content in the value of the target field.
regex: Fetches sensitive data using a regular expression.
ReplaceString
String
No
The string used to replace sensitive data.
This parameter is required when you set Method to const.
RegexBegin
String
No
The regular expression that matches the prefix of the sensitive data.
This parameter is required when you set Match to regex.
RegexContent
String
No
The regular expression that matches the sensitive data.
This parameter is required when you set Match to regex.
Configuration examples
Example 1
Replace the entire value of the target field with a string. To do this, set Method to const and Match to full.
Raw log
"password" : "123abcdefg"Logtail plug-in processing configuration
{ "type" : "processor_desensitize", "detail" : { "SourceKey" : "password", "Method" : "const", "Match" : "full", "ReplaceString": "********" } }Processing result
"password":"********"
Example 2
Use a regular expression to identify sensitive data in the value of the target field and replace the data with its MD5 hash. To do this, set Method to md5 and Match to regex.
Raw log
"content" : "[{'account':'1234567890','password':'abc123'}]"Logtail plug-in processing configuration
{ "type" : "processor_desensitize", "detail" : { "SourceKey" : "content", "Method" : "md5", "Match" : "regex", "RegexBegin": "'password':'", "RegexContent": "[^']*" } }Processing result
"content":"[{'account':'1234567890','password':'e99a18c428cb38d5f260853678922e03'}]"
References
Configure a Logtail pipeline using API operations:
GetLogtailPipelineConfig - Get a Logtail pipeline configuration
ListLogtailPipelineConfig - List Logtail pipeline configurations
CreateLogtailPipelineConfig - Create a Logtail pipeline configuration
DeleteLogtailPipelineConfig - Delete a Logtail pipeline configuration
UpdateLogtailPipelineConfig - Update a Logtail pipeline configuration
Configure a processor plugin in the console:
Collect container logs from a Kubernetes cluster using a CRD (stdout/file)