All Products
Search

This Product

    Simple Log Service:Extended plug-in: Data Masking

    Document Center

    Simple Log Service:Extended plug-in: Data Masking

    Last Updated:Apr 21, 2025

    If you use Logtail to collect logs, you can use the processor_desensitize plug-in to replace sensitive data in logs with specified strings or MD5 hash values. This topic describes the parameters of the processor_desensitize plug-in and provides examples on how to configure the plug-in.

    Important

    • Form configuration: You can use form configuration to add the plug-in when you collect text logs or container stdout and stderr.

    • Editor configuration in JSON: You cannot use editor configuration in JSON to add the plug-in when you collect text logs.

    Entry point

    If you want to use a Logtail plug-in to process logs, you can add a Logtail plug-in configuration when you create or modify a Logtail configuration. For more information, see Entry point.

    Configuration description

    Important

    Only Logtail V1.3.0 and later support the processor_desensitize plug-in.

    Form configuration

    Set the Processor Type parameter to Data Masking. Then, configure other parameters based on the following table.

    • Parameters

      Parameter

      Description

      Original Field

      The name of the log field.

      Data Masking Method

      The method that is used to mask sensitive content. Valid values:

      • String Replacement: replaces sensitive content with a string. You can configure the Replacement String parameter to specify the string.

      • md5: replaces sensitive content with the MD5 hash value that is generated for sensitive content.

      Sensitive Data Content

      The method that is used to identify sensitive content. Valid values:

      • Field Text: identifies all content in the value of the specified log field as sensitive. In this case, all content in the value of the specified log field is replaced.

      • Use Regular Expression: identifies sensitive content by using a regular expression.

      Replacement String

      The string that is used to replace sensitive content.

      If you set the Data Masking Method parameter to String Replacement, you must configure this parameter.

      Regex to Match Sensitive Content Prefix

      The regular expression that is used to match the prefix of sensitive content.

      If you set the Sensitive Data Content parameter to Use Regular Expression, you must configure this parameter.

      Regex to Match Sensitive Content

      The regular expression that is used to match sensitive content.

      If you set the Sensitive Data Content parameter to Use Regular Expression, you must configure this parameter.

    • Examples

      The following example shows how to replace all content in the value of a specified field with a string:

      • Raw log

        "password" : "123abcdefg"

      • Logtail plug-in configuration for data processingimage

      • Processing result

        "password":"********"

    Editor configuration in JSON

    Set the type parameter to processor_desensitize. Then, configure other parameters in the detail section based on the following table.

    • Parameters

      Parameter

      Type

      Required

      Description

      SourceKey

      String

      Yes

      The name of the log field.

      Method

      String

      Yes

      The method that is used to mask sensitive content. Valid values:

      • const: replaces sensitive content with a string. You can configure the ReplaceString parameter to specify the string.

      • md5: replaces sensitive content with the MD5 hash value that is generated for sensitive content.

      Match

      String

      No

      The method that is used to identify sensitive content. Valid values:

      • full (default): identifies all content in the value of the specified log field as sensitive. In this case, all content in the value of the specified log field is replaced.

      • regex: identifies sensitive content by using a regular expression.

      ReplaceString

      String

      No

      The string that is used to replace sensitive content.

      If you set the Method parameter to const, you must configure this parameter.

      RegexBegin

      String

      No

      The regular expression that is used to match the prefix of sensitive content.

      If you set the Match parameter to regex, you must configure this parameter.

      RegexContent

      String

      No

      The regular expression that is used to match sensitive content.

      If you set the Match parameter to regex, you must configure this parameter.

    • Examples

      • Example 1

        The following example shows how to replace all content in the value of a specified field with a string. Set the Method parameter to const and the Match parameter to full.

        • Raw log

          "password" : "123abcdefg"

        • Logtail plug-in configuration for data processing

          {
  "type" : "processor_desensitize",
  "detail" : {
    "SourceKey" : "password",
    "Method" : "const",
    "Match" : "full",
    "ReplaceString": "********"
  }
}

        • Processing result

          "password":"********"

      • Example 2

        The following example shows how to identify sensitive content in the value of a specified field by using a regular expression and replace the sensitive content with the MD5 hash value that is generated for the sensitive content. Set the Method parameter to md5 and the Match parameter to regex.

        • Raw log

          "content" : "[{'account':'1234567890','password':'abc123'}]"

        • Logtail plug-in configuration for data processing

          {
   "type" : "processor_desensitize",
   "detail" : {
      "SourceKey" : "content",
      "Method" : "md5",
      "Match" : "regex",
      "RegexBegin": "'password':'",
      "RegexContent": "[^']*"
   }
}

        • Processing result

          "content":"[{'account':'1234567890','password':'e99a18c428cb38d5f260853678922e03'}]"