[syslog-ng] credit card masking in log messages
Marton ILLES
marton.illes at balabit.com
Tue Feb 26 08:40:07 CET 2013
Hello Loggers!
I was playing around with the latest 3.4.1 release and created two
rewrite configuration blocks to mask and hash credit card numbers in log
messages.
I think it would be a good idea to add these config blocks to SCL so
anyone could use it latter easily.
These are fairly simple two blocks:
block rewrite hash_cc(value("MESSAGE"))
{
subst(
"(?P<1>:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})",
"$(sha1 --length 16 $1)",
value(`value`),
flags(global, store-matches),
type(pcre));
};
block rewrite mask_cc(value("MESSAGE"))
{
subst(
"(?P<1>:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})",
"$(substr $1 0 6)******$(substr $1 -4 4)"
value(`value`),
flags(global, store-matches),
type(pcre));
};
You can use it in your rewrite statements easily:
log {
source(s_local);
rewrite { mask_cc(); };
#rewrite { hash_cc(value(".sdata.my-cc")); };
destination(d_local);
};
And it turns a message like this:
Transaction approved; checkout-id='46255763', amount='38.43', cc='5542043004559005'
Into this, in case of masking:
Transaction approved; checkout-id='46255763', amount='38.43', cc='554204******9005'
And in case of hashing:
Transaction approved; checkout-id='46255763', amount='38.43', cc='986d97fc95435b22'
For anyone interested in more details on credit card number
masking/hashing/tokenization I also wrote a blogpost about this:
http://marci.blogs.balabit.com/2013/02/masking-credit-card-numbers-in-log-messages-with-syslog-ng/
The regexps could be enhanced further, but I guess it is good for a
start. Bazsi, Algernon could you please add this to SCL? Sorry, I was
lazy to generate a git pull request. :(
Happy Masking!
cheers,
Marton
More information about the syslog-ng
mailing list