The requirement is to show the start 6 digits and last 4 digits and mask the remaining numbers of credit card in logstash. I applied gsub/mutate filter but the replacement string doesn't allow regex. Any other way this can be done in logstash?
if [message] =~ '\d{16}' {
mutate {
gsub => ["message", "\d{6}\d{4}\d{4}", "\d{6}######\d{4}"]
add_tag => "Masked CardNo"
}
}
This code masks the credit card 3456902345871092 to \d{6}######\d{4} but it should be masked as 345690######1092.
As an alternative, if possible even displaying only the first 6 digits or the last 4 digits of the card would be helpful.
You can use capturing groups in the regex and use those group in the replacement part: this regex (\d{6})(\d{6})(\d{4}), when matched, creates three groups (see here). This groups can be used in the replacement string: \1######\3 this string will use the first and third replacement groups.
So in your case, your configuration should look like this:
mutate {
gsub => ["message", "(\d{6})(\d{6})(\d{4})", "\1######\3"]
add_tag => "Masked CardNo"
}
Also, your regex \d{6}\d{4}\d{4} is wrong to match a 16-number credit card number, the second \d needs to grab 6 characters.