How To: Mask or Suppress Certain Sensitive Data Going into Log Files


Sentry administrators may have a requirement to mask/suppress certain data being logged by Sentry.  Request and response payloads, as well as detailed information about the client and server are logged by default when DEBUG level is enabled. Some of this information may need to be masked or removed entirely from the Sentry logs.

While there is an option to exclude specific messages using the "Override log level for the following codes" option, the use case may require all messages to be logged but some data masked or suppressed. This article will focus on the aspect of masking/suppressing the log information rather than exclude via code.

More information on the Sentry logging functionality can be found in the attached guide.



 Suppose the following request document as seen in the System log:



The use case is to mask or suppress the value “sensitive info” found in the request payload.



Changing “sensitive info” from the above example into “***************”:

This is done using a Pattern Match Policy as follows:

1.     Pattern Match Policy

 Resource--->Pattern Match--->New

1. Policy Name:                                  Replace_Sensitive_Data (for example)
2. Mode:                                               Deny
2. REGULAR EXPRESSION:          <field2>[^<]*</field2>
3. REPLACEMENT:                          <field2 />**************


2.     Associate to Policy

The Pattern Match Policy created above is a targeted policy and should be associated with the policy in question, rather than applied globally for all logging.  This is configured on the Logging page under the policy in question as seen in the image below:



3.     System Log

 The message should now make the changes based on the pattern as seen in the system log:





IMPORTANT NOTE: Debug level logging in general can impact performance and system resources. Adding a pattern/match replace can add additional performance impact.  It is strongly recommended that performance testing of the policy/system is done with and without Debug level logging and with and without pattern matching on the logs to better understand the impact in your environment.


Article is closed for comments.