Log Monitoring Classic
Dynatrace version 1.253+ OneAgent version 1.243+
Your log data contains information that may be considered sensitive. Specific log messages may include user names, email addresses, URL parameters, and other information that you may not want to disclose. Log Monitoring features the ability to mask any information by modifying the configuration file on each OneAgent that handles information you consider to be sensitive.
You can select the data that needs to be protected by applying a set of masking rules. Within each rule, you can decide what you need to hide and what to replace your hidden content with. If you need to address only specific attributes, such as predefined containers, log sources or process groups, you can achieve it by adding matchers to your rules.
Masking rule execution occurs in a predefined hierarchy, from top to bottom. Each consecutive rule is applied to the result of a preceding rule. The hierarchy is as follows:
The host configuration rules can be accessed through the Host settings for a specific host.
The host group configuration rules can be accessed via the Host page.
The Host group property is not displayed when the selected host doesn't belong to any host group.
<group name>
link, where <group name>
is the name of the host group that you want to configure.The tenant scope is available in the settings menu.
You can configure sensitive data masking on the host, host group or environment level.
Select Create new rule to start configuring your rule.
Name: The name to display for your configuration.
Search expression: A regular expression to match the string that you want to mask. Use the regular expression format.
Masking type: You can replace your data with a string or Secure Hash Algorithm 1 (SHA-1).
Select Add matcher to create a specific match for this rule and narrow down the scope for that rule. You can include multiple matchers in one rule. For example, the masking rule can be applied to logs from a specific container, namespace, or log source.
Select the matching attribute.
Attribute
Description
Container name
Matching is based on the name of the container.
DT entity container group ID
Matching is based on the DT entity container group ID.
K8s container name
Matching is based on the name of the Kubernetes container.
K8s deployment name
Matching is based on the name of the Kubernetes deployment.
K8s namespace name
Matching is based on the name of the Kubernetes namespace.
Log source
Matching is based on a log path; wildcards are supported in form of an asterisk.
Process group
Matching is based on the process group ID.
Process technology
Matching is based on the technology name.
Select Add value and, from the Values list, select the detected log data items (log files or process groups that contain log data). Multiple values can be added to the selected operator. You can have one matcher that indicates log source and matches values /var/log/syslog and Windows Application Log.
Select Save changes.
Defined rules can be reordered, and they are executed in the order in which they appear on the Sensitive data masking page.
Starting with OneAgent version 1.249, you can activate/inactivate your rules by turning on/off the Active toggle. To manage your rules effectively, we recommend that you upgrade your OneAgent to version 1.249. If you have any rules set on the host with OneAgent version earlier than 249, you will not be able to inactivate them, in which case you need to remove such rules by selecting Delete on the rule level or via the REST API.
You can use the Settings API to manage your sensitive data masking configuration:
To check the current schema version for sensitive data masking configuration, list all available schemas and look for the builtin:logmonitoring.sensitive-data-masking-settings
schema identifier. Sensitive data masking configuration objects are available for configuration on the following scopes:
tenant
—configuration object affects all hosts in a given environment.host_group
—configuration object affects all hosts assigned to a given host group.host
—configuration object affects only the given host.To create a sensitive data masking configuration using the API
settings.write
) and Read settings (settings.read
) permissions.schemaId
) is builtin:sensitive-data-masking-settings
. Here is an example JSON payload with the sensitive data masking configuration:[{"schemaId":"builtin:logmonitoring.sensitive-data-masking-settings","scope":"tenant","value":{"config-item-title":"Added from REST API","masking":{"expression":"run (\\d+?)","type":"STRING","replacement":"testing"},"matchers":[{"attribute":"log.source","operator":"MATCHES","values":["/var/log/syslog"]}]}}]
You can mask such data as your credit card or phone number, with or without specifying the capturing group.
In this example, you will configure a sensitive data masking rule that targets a credit card number in the following log record:
Username: John Doe, CreditCardNumber: 1234-1234-1234-1234
The rule is further narrowed to the c:\inetpub\logs\LogFiles\ex_*.log
files in two process groups: IIS (PROCESS_GROUP-3D9D854163F8F07A)
and IIS (PROCESS_GROUP-4A7B47FDB53137AE)
.
Go to Settings > Log Monitoring > Sensitive data masking
CreditCardNumber: (\d{4}-\d{4}-\d{4}-\d{4})
.SHA-1
for Masking type.IIS
, and select IIS (PROCESS_GROUP-3D9D854163F8F07A)
from the suggestions list.IIS
, and select the second process group from the suggestions list: PROCESS_GROUP-4A7B47FDB53137AE
.c:\inetpub\logs\LogFiles\ex_*.log
.Only content found within a capturing group is masked, and it is transformed to the following:
Username: John Doe, CreditCardNumber: 7e938e089861f3975b38cff3a93cc3aa659f7779
In this example, you will configure a sensitive data masking rule that targets all phone numbers in the following log record for all log files.
Username: John Doe, PhoneNumber: +48123010100
Go to Settings > Log Monitoring > Sensitive data masking.
PhoneNumber: [0-9\-\+]{9,15}
.SHA-1
for Masking type.The capturing group is not specified, so the full expression is treated as one capturing group and is masked so that it is transformed into the following in all log files:
Username: John Doe, 011897d555c81e88f286cbb74c59f4ad99ec2f8d
In the examples below, you can see how various combinations of sensitive data can be masked. You can use the listed payload JSON files in the REST API, or enter the listed masking rules, matchers, Regex expressions, and attributes directly when creating your rules via Dynatrace web UI.
To mask all credit card numbers and emails in your content, you need to create two separate rules, each with a different matcher:
{"masking": {"expression": "(\\d{4}-\\d{4}-\\d{4}-\\d{4})","type": "STRING","replacement": "MaskedCreditCardNumber"},"matchers": [],"enabled": true},{"masking": {"expression": "email: (.*),","type": "SHA1"},"matchers": [],"enabled": true}
To mask logs that are written by Apache AND whose log filename is error.log
, you can create one rule with two matchers:
{"masking": {"expression": "email: (.*),","type": "SHA1"},"matchers": [{"attribute": "log.source","values": ["/path/to/error.log"]},{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
To mask logs that are written by Apache OR whose log filename is error.log
, you need to create two rules with one matcher each:
{"masking": {"expression": "email: (.*),","type": "SHA1"},"matchers": [{"attribute": "log.source","values": ["/path/to/error.log"]}],"enabled": true},{"masking": {"expression": "email: (.*),","type": "SHA1"},"matchers": [{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
To mask logs that are written by Apache and whose log filename starts with error
AND ends with log
, you need to have one rule with three matchers, each matcher having one value.
{"masking": {"expression": "email: (.*),","type": "SHA1"},"matchers": [{"attribute": "log.source","values": ["/path/to/error*"]},{"attribute": "log.source","values": ["*log"]},{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
To mask logs that are written by Apache and whose log filename starts with error
OR ends with log
, you need to have one rule with two matchers, one with the process group value, and the second one with two content values, /path/to/error*
and *log
:
{"masking": {"expression": "email: (.*),","type": "SHA1"},"matchers": [{"attribute": "log.source","values": ["/path/to/error*", "*log"]},{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
To mask logs that are written by Apache or MySQL, you need to have either two rules or one rule with one matcher that has two values.
The scenario with two rules:
{"masking": {"expression": "email: (.*),","type": "SHA1"},"matchers": [{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-MYSQL"]}],"enabled": true},{"masking": {"expression": "email: (.*),","type": "SHA1"},"matchers": [{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
The scenario with one rule with a matcher that has two values:
{"masking": {"expression": "email: (.*),","type": "SHA1"},"matchers": [{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID", "PROCESS_GROUP-MYSQL"]}],"enabled": true}
The common regex formats for sensitive data include:
Sensitive data type
ReGEx
IPv4
\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
Email address
\b[\w\-\._]+?@[\w\-\._]+?\.\w{2,10}?\b
Credit card number
\b[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}\b
Phone number
\+?[0-9]{3}-?[0-9]{6,12}\b
Data masking occurs within the entire expression or a capturing group. An expression has to match the regular expression engine syntax, and it cannot:
lookbehind
zero-length assertion in a capturing groupbackreference
zero-length assertion in a capturing groupx?
, x*
, or x+
) or possessive quantifiers (such as x?+
, x*+
, or xx++
). Use lazy/reluctant qualifiers (such as x??
and x+?
) instead.You can execute sensitive data masking in your environment so that the confidential data does not leave your infrastructure unprotected. If you import your data to Dynatrace via generic ingest, you need to mask the sensitive data on the source level, before ingestion. Alternatively, you can mask sensitive data during Log Processing. However, if you choose to mask your data during Log processing, your data will leave your environment as log processing occurs on the Dynatrace side. Therefore, it is safer to mask it within your environment.
One. If none is provided, then the entire scope of the regular expression you provide is treated as one capturing group.
Be aware of the following limitations to sensitive data masking:
File not monitored - incorrect sensitive data masking rule
message.