skip.link.title
share

Hash log content

Output filter: hash-fields

This plugin replaces field values with its hash code. All occurrences of the original field value are replaced in the log "message" field with the hash code.

In the context of data protection regulations like GDPR you might need to mask data fields, especially when you handover log data to 3rd parties.

Using strong hash functions (sha256, sha512) the orginal field value can't be recovered. Nevertheless hashed values can be used for log analytics, e.g. to see a value distribution or count unique values.

Configuration

Add the following section 'outputFilter' to the Logagent configuration file. Please note you could use the plugin with multiple configurations for different event sources.

# tail web server logs
input: 
  files:
    - '/var/log/*/access_log'

# log agent parses web server logs out of the box ...
# output filter to encrypt client_ip and user field in web server logs
outputFilter:
  hashFields: 
    module: hash-fields
    # JS regular expression to match log source name
    matchSource: !!js/regexp access_log
    # algorithms supported by nodejs crypto module, 
    # e.g. sha1, sha256, sha512, md5, ...
    algorithm: sha256
    fields:
      - client_ip

Run Logagent with your config:

logagent --config logagent-example-config.yml -n httpd --yaml

The output in YAML format shows the hased IP address in the field client_ip:

logSource:    httpd
_type:        access_common
client_ip:    eff8e7ca506627fe15dda5e0e512fcaad70b6d520f37cc76597fdb4f2d83a1a3
remote_id:    -
user:         -
method:       GET
path:         /
http_version: HTTP/1.1
status_code:  304
size:         0
@timestamp:   Thu Apr 26 2018 22:02:26 GMT+0200 (CEST)