[patch] Add filters to strip unwanted data from incoming syslog messages.
Hello, A project that I am involved with has requirements for the ability to strip personally identifiable data from their syslogs. The attached patch allows us to accomplish this functionality. I believe it would be useful if it is included in upstream syslog-ng. Please consider it for inclusion in the next release. Thanks in advance, - William
On Mon, 09 Jul 2007 11:51:13 -0000, William Pitcock said:
Hello,
A project that I am involved with has requirements for the ability to strip personally identifiable data from their syslogs. The attached patch allows us to accomplish this functionality.
I believe it would be useful if it is included in upstream syslog-ng. Please consider it for inclusion in the next release.
Thanks in advance,
+############################################################ +## generic filters + +filter f_strip { strip(ips); }; It *appears* that this is the only place this .conf file does anything with the new feature. As such, it took me a long time to *find* it in there. Oh, and three references in the d_postfix, d_sympa, and d_courier segments. It would be a lot clearer if instead of a complete .conf file, you provided a very minimalist example of how to use it (10-20 lines at most). + This patch has been tested against the following versions of syslog-ng: + . version 1.6.7 + . Debian package syslog-ng_1.6.7-2 Does this need updating? Your diff appears to actually be against 2.0.4. Also, if you're going to all the trouble of creating a filter_replace_new and filter_replace_eval, it might not be bad at all if you were to make a more generalized feature out of it so that sites can use it to do more than just IP addresses. For instance, a site might need to do something like filter f_userpass { replace("user=.* pass=.* ", "user=MASKED pass=MASKED"); } or some such. That's a *lot* more 'personal identifying' than just an IP address.
On Mon, 9 Jul 2007, Valdis.Kletnieks@vt.edu wrote:
+############################################################ +## generic filters + +filter f_strip { strip(ips); };
It *appears* that this is the only place this .conf file does anything with the new feature. As such, it took me a long time to *find* it in there. Oh, and three references in the d_postfix, d_sympa, and d_courier segments. It would be a lot clearer if instead of a complete .conf file, you provided a very minimalist example of how to use it (10-20 lines at most).
+ This patch has been tested against the following versions of syslog-ng: + . version 1.6.7 + . Debian package syslog-ng_1.6.7-2
Does this need updating? Your diff appears to actually be against 2.0.4.
For what it's worth, I didn't write the README, I just redid the code part for 2.0.4. Do whatever you want with the readme, I only included it because the initial patch we had came with it. As did the config example.
Also, if you're going to all the trouble of creating a filter_replace_new and filter_replace_eval, it might not be bad at all if you were to make a more generalized feature out of it so that sites can use it to do more than just IP addresses. For instance, a site might need to do something like
filter f_userpass { replace("user=.* pass=.* ", "user=MASKED pass=MASKED"); }
or some such. That's a *lot* more 'personal identifying' than just an IP address.
The patch I provided provides a replace feature like what you say. To use the replace feature my patch provides, you do something like: filter f_userpass { replace("user=[.*] pass=[.*]", "user=MASKED pass=MASKED"); } It works exactly as you describe. - William
participants (2)
-
Valdis.Kletnieks@vt.edu
-
William Pitcock