Documentation
Start typing to search…

Log Masking

Overview

Lumigo provides advanced log masking capabilities to enhance data privacy and security. Log masking allows you to define rules that hide sensitive data in logs before they are processed and stored.

Client-Side Masking

Client-side masking enables you to mask sensitive data on the client side before it is sent to Lumigo. Lumigo's client-side masking adheres to the strictest privacy requirements.

Configure Client-Side Masking

To configure client-side masking, set the following environment variables:

  • LUMIGO_LOG_MASKING_REGEX_VALUE: This variable accepts an array of regular expressions designed to scrub specific values within your logs.

To specify keys you want scrubbed you can either provide a Regex, which is useful mostly for unstructured logs, or the exact JSON path:

  • LUMIGO_LOG_MASKING_REGEX_KEY: This variable accepts an array of regular expressions that match JSON keys in your logs. The values of the matching keys will be scrubbed.
  • LUMIGO_LOG_MASKING_EXACT_PATH: This variable accepts an array of exact paths to scrub.

Log masking via the Lumigo platform

Lumigo also provides a centralized solution for log masking, enabling users to define masking rules globally. These rules are then propagated across all components, including Lambda functions, containers, and Kubernetes.

Configure the Log Masking Rule

  1. Navigate to the log masking page in the Lumigo platform.
  2. Insert the Log Masking rule name. this will be the name used in the platform.
  3. (Optional) Set a log filter. using the Lumigo Search Syntax, you can filter which logs should and should not be masked. For example, you can create a filter to mask only logs originating in Production, while leaving logs from Staging in their original form.
  4. Set the masking rule. This helps determine which log fields/parts are subject to masking.
    1. Exact Identifier: Useful for JSON structured logs. Provide the exact JSON Path that should be masked, such as email.
    2. Value: Using Regex, you can define a pattern of a log value that should be masked. Any log that meets the value pattern will be scrubbed. For example, you can set a pattern to mask credit card details.
    3. Key: Using Regex, you can define a pattern of a log key (field) that should be masked. The value of the specified key will be scrubbed in each log that meets the Regex pattern. Fore example, you can set a Regex to scrub the credit_card key.

Updated 25 days ago