Log Masking

Recognizing the importance of privacy, Lumigo introduces advanced log masking capabilities. With log masking, you can define specific rules for masking sensitive data within logs before they are processed and saved.

Client-Side Masking

Client-side masking provides you with the flexibility to mask sensitive data on the client side before it is sent to Lumigo. Lumigo's client-side masking adheres to the strictest privacy requirements.

Configuring Client-Side Masking

Set the following environment variables:

LUMIGO_LOG_MASKING_REGEX_VALUE: This variable accepts an array of regular expressions designed to scrub specific values within your logs.

To specify keys to be scrubbed, you can either provide a Regex (useful mostly for unstructured logs), or the exact JSON path:

LUMIGO_LOG_MASKING_REGEX_KEY: This variable accepts an array of regular expressions that match JSON keys in your logs. The values of the matching keys will be scrubbed.

LUMIGO_LOG_MASKING_EXACT_PATH: This variable accepts an array of exact paths to scrub.

Log masking via the Lumigo platform

Lumigo also provides a centralized solution for log masking, enabling users to define masking rules globally. These rules are then propagated across all components, including Lambda functions, containers, and Kubernetes.

Configure Log Masking rule

  1. Navigate to the log masking page in the Lumigo platform
  2. Insert the Log Masking rule name- this name will be used in the platform
  3. Set log filter (Optional)- using the Lumigo Search Syntax, you can filter which logs should and should not be masked (e.g. create a filter to mask only logs originated in Production, while leaving logs from Staging in their original form)
  4. Set masking rule- Determines which log fields/parts are subject to masking.
    1. Exact Identifier: Useful for JSON structured logs. Provide the exact JSON Path that should be masked (e.g. email)
    2. Value: Using Regex, you can define a pattern of a log value that should be masked. Any log that meets the value pattern will be scrubbed (e.g. set a pattern to mask credit card details)
    3. Key: Using Regex, you can define a pattern of a log key (field) that should be masked. The value of the specified key will be scrubbed in each log that meets the Regex pattern (e.g. set a Regex to scrub credit_card key)