Hi,
I want to anonymize sessionid information from weblogs =.
I use a deployment server to push out an app with the log files we are tailing.
In that app, I have a props.conf with the following line:
[web_access]
SEDCMD-access = s/(?:\s\d+\s)(\w{32})/ XXXXXXXXXX-sessionid-XXXXXXXXXXX /g
web_access is the sourcetype of the log being tailed that contains the session id.
The session id (char length 32) is always preceded by an integer surrounded by white space.
I came to the regex above by tweaking the results of a search with `rex mode=sed "s/(?:\s\d+\s)(\w{32})/XXXXXX-sessionid-XXXXXX/g`. This consistently masks the sessionid in searches on historical data.
I have deployed the the app out with its new sedcmd stanza in props.conf, but new data doesn't seem to be getting anonymized, even though I have restarted the universal forwarder on the web server (Windows, but not iis)
Any ideas?
↧