Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›December 21, 2021
While I write this blog post, I reflect on the years of being a system administrator and the task of ensuring that no sensitive data made its way past me. What a daunting task right? The idea that sensitive data can make its way through our systems and other tools and reports is terrifying, and not to mention the potential financial/contractual problems this can cause.
Identifying complex patterns in logs, metrics, and traces… filtering through long regex statements to catch every possible pattern that data can show up in… datasets that constantly change… new datasets… What a mess! Help!
So how can Cribl Stream help? We help IT, and Security professionals manage their data with an easy-to-use web interface, previewing potential changes to your data and giving you built-in functions to help work through whatever transformations, reductions, and routing are needed. Giving you full control of your data, what shape or format it needs to be in, and which destinations that data needs to go to. No need to make changes at the data source, which can be nearly impossible or take a long time to do. Instead, you can change that data in-stream on the way to its destination. Pretty cool, right?
So, let’s talk about masking with some sample data I already have streaming through Stream, and walk you through a few different ways to mask that sensitive data using Stream as an observability pipeline. Ready? Let’s go!
You know the patterns of the sensitive data in your logs and can easily identify these one or more strings in the logs. If they are present, let’s do an md5 hash or replacement of those values.
MASK function, using regex statements for one or more known patterns. You can hash, redact, remove, replace with the text of choice, etc.
While onboarding a new dataset, the business teams have identified several fields that need to be addressed if present. And if present, what to do with that data. And we see this sensitive data in clear text in our live capture sample. Uh oh! Let’s fix this immediately!
SENSITIVE FIELD LIST | FIELD LABEL | ACTION IF FOUND |
---|---|---|
Social Security Number |
“social” |
Hash |
Electronic Serial Number |
“esn” |
Redact with (12) X characters |
Card Number |
“cardNumber” |
Mark as “Removed” |
In Stream, we simply add a MASK function to your pipeline to handle the masking needs. This is a handy function for replacing values with simple regex matches. A key benefit here is that you can add multiple simple regex patterns without relying on one complex, large regex pattern that may need more maintenance over time. Find the values you are looking for and replace them with the values that the business team requested.
Mask Function:
Preview the proposed changes in the UI before pushing out the configurations to affect the live data stream. Pretty easy, right?
Results:
You know the patterns of the sensitive data, but you’re not so strong at regex syntax. Maybe you need to look for the field names in the data and reference them in simple English. If they are present, let’s do an md5 hash of those values.
Let’s look at the PARSER and EVAL functions and how these can help identify key/value pairs automatically in your data and give you the option to remove/keep fields as desired. Then when we’re done, we’ll use the SERIALIZE function to re-assemble that event into key value pairs back into _raw
. Ready? Let’s go!
SENSITIVE FIELD LIST | FIELD LABEL | ACTION IF FOUND |
---|---|---|
Social Security Number |
“social” |
Hash |
Electronic Serial Number |
“esn” |
Hash |
Card Number |
“cardNumber” |
Hash |
This time let’s go about things a little differently, shall we? If regex is not your strong suit, we can always use the PARSER function to extract the key value pairs, make any changes needed for sensitive data, and then put the new key value pairs back together in whatever format we need.
Extract key value pairs using the PARSER function:
Create the EVAL function for sensitive data fields and md5 hash the values (if they exist):
Serialize key value pairs pack to _raw
while dropping unnecessary fields:
Drop non-essential fields from events:
So hopefully, this shows you just a few ways to use Stream to help manage your sensitive data needs, use built-in functions, simplify your workflows, and save you precious time! If you want to learn more about built-in functions, visit our docs site.
The fastest way to get started with Cribl Stream is to sign-up at Cribl.Cloud. You can process up to 1 TB of throughput per day at no cost. Sign-up and start using Stream within a few minutes.
Tomer Shvueli Sep 5, 2024
Josh Biggley Aug 28, 2024
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?