Configure Log Masking with Filebeat

Log files and the product console may contain business sensitive information. To avoid such information being exposed, users can mask sensitive information through Filebeat.

In Filebeat, you can define data patterns that need to be masked in logs. This is particularly useful if your logs contain sensitive information such as credit card numbers and access tokens.

Configure Filebeat to mask sensitive information

Follow the instructions given below to configure this feature.

  1. Navigate to the home directory of your Filebeat installation and open the filebeat.yml file.
  2. Add the following configuration after the filebeat.inputs section. Change the masking rules to fit your requirement.

    Info

    The given sample replaces the value in the username field in the event to MASKED. This is done with the replace() function in Javascript.

    filebeat.inputs:
        ...
    processors:
      - script:
          lang: javascript
          source: >
            function process(event) {
                var msg = event.Get("message");
                msg = msg.replace(/\"username\":\"(.*?)\"/, "\"username\":\"MASKED\"");
                event.Put("message",msg);
            }
          tag_on_exception: true
    output.logstash:
        ...

Note

As the number of masking patterns increases, performance will be affected since each log line is matched with each pattern. It is recommended to only use the most necessary patterns.

Top