New Relic’s log management service already automatically masks number patterns that appear to be for items such as credit cards or Social Security numbers, but you can ensure data privacy by defining custom obfuscation rules right from logs UI.
Here’s a quick definition of sensitive data and a few examples - this is not an exhaustive list:
- Personally identifiable information (PII): sensitive things like Social Security Number, combinations of data (like first name + date of birth or last name + zip code) or other user generated data that is considered sensitive in nature.
- Health Data.
- Financial Data (like credit card numbers.
- IP addresses may be considered sensitive, especially when in combination with PII.
Learn more To know more about New Relic’s log management security and privacy click here.
Follow the instructions to:
- Create obfuscation expression
- Create obfuscation rule
Before you begin, ensure you have a New Relic account, or sign up for a free account here (no credit card needed).
You will also need to have a Core and Full Platform users account. To learn about New Relic’s User type, what capabilities each user type has, and how to decide on a user type click here.
Define regular expressions to specify which data to hide:
Using the Logs UI:
Enter a name for your new obfuscation rule, as well as a regular expression matching the sensitive data you want to capture. Use RE2 syntax.
The following example shows a basic obfuscation expression that will match credit card numbers:
Hide sensitive data using matching criteria. Using the Logs UI:
- Go to one.newrelic.com > Logs and from the left nav, select Obfuscation.
- Click Create obfuscation rule.
- Enter a name for your new obfuscation rule, as well as a matching criteria (in NRQL format) to capture the target set of logs you want to obfuscate.
- Add a new actions (the first one is added automatically) to specify the obfuscation expression (regex) to capture each set of attributes, as well as whether to MASK or HASH them.
- Multiple attributes can be specified comma-separated.
- MASK will replace all matching characters with Xes. If you use MASK, you will not be able to query for a particular obfuscated value later.
- HASH will replace sensitive data with the SHA-256 hash value. If you use HASH, you will be able to query them using our hashing tool, provided you know its cleartext value.
- Your rule should look something like this:
- Create an obfuscation rule using the Logs UI
- Click Create rule to create and activate your obfuscation rule.
You’ve now successfully created expressions and rules to match sensitive information before data is being stored in NRDB. Our logs in context functionality are already changing the way troubleshoot issues. This makes it easier and safer for you, rather than needing to track down sensitive data in all of your applications and try to fix them at the source.
For more information about obfuscating sensitive data in logs, follow the New Relic Docs.
(End of post)