I have some log events that I don't wanna show completely as they may contain some sensitive pieces of information, Is there any way I can mask just the sensitive part of the log keeping the rest of the logs as it is by providing the occurrence pattern via logstash?
For instance, I have below log event as a document:
"message" : "curl -u username:password http://example.com"
I want this to be stored as :
"message" : "curl -u XXXX:XXXX http://example.com"
Currently, I am dropping the event completely using logstash drop {}
You could do this use mutate+gsub
mutate { gsub => [ "message", "-u [a-zA-Z0-9._-]+:[a-zA-Z0-9._-]+ ", "-u XXXX:XXXX " ] }
For a more general discussion of anonymisation and pseudonymisation see the blog post about GDPR.