Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Anonymize your syslog logs
# Specify a custom format to anonymize your logs
$template anonymize,"%$year%-%$month%-%$day% %timegenerated:12:19:date-rfc3339% %app-name% %$!new%\n"
# This makes the anonymize template the default for all file actions
$ActionFileDefaultTemplate anonymize
set $!new = $msg;
# Replace credit cards
if re_match($msg,'([0-9]{13,16})')
then {
set $!ext = re_extract($msg,'([0-9]{13,16})',0,1,"");
set $!new = replace($msg, $!ext, "*** (credit card)");
}
# Replace user agents
if re_match($msg,'(Mozilla\\/[0-9]\\.[0-9] [^"\']+)')
then {
set $!ext = re_extract($msg,'(Mozilla\\/[0-9]\\.[0-9] [^"\']+)',0,1,"");
set $!new = replace($msg, $!ext, "*** (user agent)");
}
# Replace IPv4
if re_match($msg,'((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]){1,3})')
then {
set $!ext = re_extract($msg,'((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]){1,3})',0,1,"");
set $!new = replace($msg, $!ext, "*** (ip v4)");
}
# Replace IPv6
if re_match($msg,'(([0-9a-f]{1,4}|:):([0-9a-f]{0,4}(:|\\.)){1,8}[0-9a-f]{0,4})')
then {
set $!ext = re_extract($msg,'(([0-9a-f]{1,4}|:):([0-9a-f]{0,4}(:|\\.)){1,8}[0-9a-f]{0,4})',0,1,"");
set $!new = replace($msg, $!ext, "*** (ip v6)");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.