Your log data contains information that may be considered sensitive. Specific log messages may include user names, email addresses, URL parameters, and other information that you may not want to disclose. Log Monitoring features the ability to mask any information by modifying the configuration file on each OneAgent that handles information you consider to be sensitive.
Masking is performed directly on OneAgent, ensuring that sensitive data are never ingested into the system.
You can select the data that needs to be protected by applying a set of masking rules. Within each rule, you can decide what to hide and replace your hidden content with. If you need to address only specific attributes, such as predefined containers, log sources, or process groups, you can achieve it by adding matchers to your rules.
You can configure sensitive data masking on the host, host group or environment level.
Go to Settings > Log Monitoring > Sensitive data masking, and select Add rule to start configuring your rule.
Rule name: The name to display for your configuration.
Search expression: A regular expression to match the string that you want to mask. Use the regular expression format.
Select Test your regular expression. Input sample logs to test your regular expression against, and select Test to view the result.
Masking type: You can replace your data with a string or Secure Hash Algorithm 256 (SHA-256) (SHA-1 is deprecated).
Select Add condition to create a specific match for this rule and narrow down the scope for that rule. You can include multiple matchers in one rule. For example, the masking rule can be applied to logs from a specific container, namespace, or log source.
Select the matching attribute.
Attribute
Description
Search dropdown logic
Process group
Matching is based on the process group ID.
Attributes visible in the last 3 days are listed.
Log source
Matching is based on a log path; wildcards are supported in form of an asterisk. Autocompletion for Log source is only partial. You can either choose one of the predefined values or enter your log source.
Can be entered manually. No time limit.
Log source origin1
Matching is based on the detector was used by the log agent to discover the log file.
Can be entered manually. No time limit.
Matching is based on the host tag. The attribute only supports the tags set with the OneAgent command line tool or with the Remote configuration in a key=value pair format. They can be distinguished by the [Environment] prefix on the UI, but you should use the value without the prefix.
Multiple tags can be specified in a single matcher, but each tag needs to have the same key, such as logscope=frontend, logscope=backend.
Can be entered manually. No time limit.
K8s container name
Matching is based on the name of the Kubernetes container.
Attributes visible in the last 90 days are listed.
K8s namespace name
Matching is based on the name of the Kubernetes namespace.
Attributes visible in the last 90 days are listed.
K8s deployment name
Matching is based on the name of the Kubernetes deployment.
Attributes visible in the last 90 days are listed.
Container name
Matching is based on the name of the container.
Attributes visible in the last 90 days are listed.
DT entity container group ID
Matching is based on any of the selected container groups.
Can be entered manually. No time limit.
Process technology
Matching is based on the technology name.
Can be entered manually. No time limit.
The minimum required OneAgent version is 1.295.
Manually or automatically applied tags are not visible to OneAgent.
The minimum required OneAgent version is 1.289.
Select Add value and select the detected log data items from the Values list (log files or process groups containing log data). Multiple values can be added to the selected operator. You can have one matcher that indicates log source and matches values /var/log/syslog and Windows Application Log.
Select Save changes.
Defined rules can be reordered, and they are executed in the order in which they appear on the Sensitive data masking page.
Masking rule execution occurs in a predefined hierarchy, from top to bottom. Each consecutive rule is applied to the result of a preceding rule. The hierarchy is as follows:
The host configuration rules can be accessed through the Host settings for a specific host.
The host group configuration rules can be accessed via the Host page.
The Host group property is not displayed when the selected host doesn't belong to any host group.
<group name> link, where <group name> is the name of the host group that you want to configure.The tenant scope is available in the settings menu.
You can use the Settings API to manage your sensitive data masking configuration:
To check the current schema version for sensitive data masking configuration, list all available schemas and look for the builtin:logmonitoring.sensitive-data-masking-settings schema identifier. Sensitive data masking configuration objects are available for configuration on the following scopes:
tenant—configuration object affects all hosts in a given environment.host_group—configuration object affects all hosts assigned to a given host group.host—configuration object affects only the given host.To create a sensitive data masking configuration using the API
settings.write) and Read settings (settings.read) permissions.schemaId) is builtin:sensitive-data-masking-settings. Here is an example JSON payload with the sensitive data masking configuration:[{"schemaId":"builtin:logmonitoring.sensitive-data-masking-settings","scope":"tenant","value":{"config-item-title":"Added from REST API","masking":{"expression":"run (\\d+?)","type":"STRING","replacement":"testing"},"matchers":[{"attribute":"log.source","operator":"MATCHES","values":["/var/log/syslog"]}]}}]
You can mask such data as your credit card or phone number, with or without specifying the capturing group.
In this example, you will configure a sensitive data masking rule that targets a credit card number in the following log record:
Username: John Doe, CreditCardNumber: 1234-1234-1234-1234
The rule is further narrowed to the c:\inetpub\logs\LogFiles\ex_*.log files in two process groups: IIS (PROCESS_GROUP-3D9D854163F8F07A) and IIS (PROCESS_GROUP-4A7B47FDB53137AE).
Go to Settings and select Log Monitoring > Sensitive data masking
CreditCardNumber: (\d{4}-\d{4}-\d{4}-\d{4}).SHA-256 for Masking type.IIS, and select IIS (PROCESS_GROUP-3D9D854163F8F07A) from the suggestions list.IIS, and select the second process group from the suggestions list: PROCESS_GROUP-4A7B47FDB53137AE.c:\inetpub\logs\LogFiles\ex_*.log.Only content found within a capturing group is masked, and it is transformed to the following:
Username: John Doe, CreditCardNumber: 7e938e089861f3975b38cff3a93cc3aa659f7779
In this example, you will configure a sensitive data masking rule that targets all phone numbers in the following log record for all log files.
Username: John Doe, PhoneNumber: +48123010100
Go to Settings and select Log Monitoring > Sensitive data masking.
PhoneNumber: [0-9\-\+]{9,15}.SHA-256 for Masking type.The capturing group is not specified, so the full expression is treated as one capturing group and is masked so that it is transformed into the following in all log files:
Username: John Doe, 011897d555c81e88f286cbb74c59f4ad99ec2f8d
In the examples below, you can see how various combinations of sensitive data can be masked. You can use the listed payload JSON files in the REST API, or enter the listed masking rules, matchers, Regex expressions, and attributes directly when creating your rules via Dynatrace web UI.
To mask all credit card numbers and emails in your content, you need to create two separate rules, each with a different matcher:
{"masking": {"expression": "(\\d{4}-\\d{4}-\\d{4}-\\d{4})","type": "STRING","replacement": "MaskedCreditCardNumber"},"matchers": [],"enabled": true},{"masking": {"expression": "email: (.*),","type": "SHA256"},"matchers": [],"enabled": true}
To mask logs that are written by Apache AND whose log filename is error.log, you can create one rule with two matchers:
{"masking": {"expression": "email: (.*),","type": "SHA256"},"matchers": [{"attribute": "log.source","values": ["/path/to/error.log"]},{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
To mask logs that are written by Apache OR whose log filename is error.log, you need to create two rules with one matcher each:
{"masking": {"expression": "email: (.*),","type": "SHA256"},"matchers": [{"attribute": "log.source","values": ["/path/to/error.log"]}],"enabled": true},{"masking": {"expression": "email: (.*),","type": "SHA256"},"matchers": [{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
To mask logs that are written by Apache and whose log filename starts with error AND ends with log, you need to have one rule with three matchers, each matcher having one value.
{"masking": {"expression": "email: (.*),","type": "SHA256"},"matchers": [{"attribute": "log.source","values": ["/path/to/error*"]},{"attribute": "log.source","values": ["*log"]},{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
To mask logs that Apache writes and whose log filename starts with error OR ends with log, you need to have one rule with two matchers, one with the process group value, and the second one with two content values, /path/to/error* and *log:
{"masking": {"expression": "email: (.*),","type": "SHA256"},"matchers": [{"attribute": "log.source","values": ["/path/to/error*", "*log"]},{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
To mask logs that are written by Apache or MySQL, you need to have either two rules or one rule with one matcher that has two values.
The scenario with two rules:
{"masking": {"expression": "email: (.*),","type": "SHA256"},"matchers": [{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-MYSQL"]}],"enabled": true},{"masking": {"expression": "email: (.*),","type": "SHA256"},"matchers": [{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID"]}],"enabled": true}
The scenario with one rule with a matcher that has two values:
{"masking": {"expression": "email: (.*),","type": "SHA256"},"matchers": [{"attribute": "dt.entity.process_group","values": ["PROCESS_GROUP-APACHEID", "PROCESS_GROUP-MYSQL"]}],"enabled": true}
The common regex formats for sensitive data include:
Sensitive data type
ReGEx
IPv4
\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
Email address
\b[\w\-\._]+?@[\w\-\._]+?\.\w{2,10}?\b
Credit card number
\b[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}\b
Phone number
\+?[0-9]{3}-?[0-9]{6,12}\b
Data masking occurs within the entire expression or a capturing group. An expression has to match the regular expression engine syntax, and it cannot:
lookbehind zero-length assertion in a capturing groupbackreference zero-length assertion in a capturing groupx?, x*, or x+) or possessive quantifiers (such as x?+, x*+, or xx++). Use lazy/reluctant qualifiers (such as x?? and x+?) instead.You can execute sensitive data masking in your environment so that the confidential data does not leave your infrastructure unprotected. If you import your data to Dynatrace via generic ingest, you need to mask the sensitive data on the source level, before ingestion. Alternatively, you can mask sensitive data during Log Processing. However, if you choose to mask your data during Log processing, your data will leave your environment as log processing occurs on the Dynatrace side. Therefore, it is safer to mask it within your environment.
One. If none is provided, then the entire scope of the regular expression you provide is treated as one capturing group.
Be aware of the following limitations to sensitive data masking:
File not monitored - incorrect sensitive data masking rule message.