How To: Mask or Suppress Certain Sensitive Data Going into Log Files

Overview

Sentry administrators may have a requirement to mask/suppress certain data being logged by Sentry.  Request and response payloads, as well as detailed information about the client and server are logged by default when DEBUG level is enabled. Some of this information may need to be masked or removed entirely from the Sentry logs.

While there is an option to exclude specific messages using the "Override log level for the following codes" option, the use case may require all messages to be logged but some data masked or suppressed. This article will focus on the aspect of masking/suppressing the log information rather than exclude via code.

More information on the Sentry logging functionality can be found in the attached guide.

 

Example

 Suppose the following request document as seen in the System log:

Replace_Data_Pattern_Match_System_Log_Pre.PNG

 

The use case is to mask or suppress the value “sensitive info” found in the request payload.

 

Implementation

Changing “sensitive info” from the above example into “***************”:

This is done using a Pattern Match Policy as follows:

1.     Pattern Match Policy

 Resource--->Pattern Match--->New

1. Policy Name:                                  Replace_Sensitive_Data (for example)
2. Mode:                                               Deny
2. REGULAR EXPRESSION:          <field2>[^<]*</field2>
3. REPLACEMENT:                          <field2 />**************

 Replace_Data_Pattern_Match.PNG

2.     Associate to Policy

The Pattern Match Policy created above is a targeted policy and should be associated with the policy in question, rather than applied globally for all logging.  This is configured on the Logging page under the policy in question as seen in the image below:

 

 Replace_Data_Pattern_Match_Logging.PNG

3.     System Log

 The message should now make the changes based on the pattern as seen in the system log:

 Replace_Data_Pattern_Match_System_Log.PNG

 

 

 

IMPORTANT NOTE: Debug level logging in general can impact performance and system resources. Adding a pattern/match replace can add additional performance impact.  It is strongly recommended that performance testing of the policy/system is done with and without Debug level logging and with and without pattern matching on the logs to better understand the impact in your environment.

Have more questions? Submit a request

0 Comments

Article is closed for comments.