This documentation and the Cisco Observability Platform functionalities it describes are subject to change. Data saved on the platform may disappear and APIs may change without notice.

Mask Sensitive Data

You can minimize the risk of exposing sensitive customer data such as credit card data or personally identifiable information (PII) by configuring automatic redaction of fields or patterns in log messages. The ability to redact data supports your Payment Card Industry (PCI) compliance needs and minimizes the damage caused by data breaches, but best practice is to redact sensitive information before writing it to logs. Automatic redaction, which happens after logs are ingested but before logs are indexed and stored, offers an extra layer of protection. It does not affect data archiving.

You must be logged into the Cisco Cloud Observability interface with the role of Configuration Manager in order to configure data masking. Other roles can view data masking rules or expressions but cannot configure them.

The data masking feature does the following:

  • Retrieves masking rules from the configuration store based on Tenant
  • For each rule it retrieves, it matches the expression (pattern) in that rule to a string in the log messages and replaces (masks) the matched string with the value you specified in the rule
  • Stores log messages with masked data in the backend log data store
  • Stores patterns and masking rules in the configuration store

To configure data masking, add logs:dataMaskingExpression and logs:dataMaskingRuleV1 MELT workflows to your solution.

Limitation: Currently, the platform doesn't support defining a logging solution. Instead, you can configure the Log Collector that is bundled with the Cisco Cloud Observability solution.

Create a Data Masking Expression

  1. In a new file, <your-solution-name>/logs/objects/masking-expression.json, define a MELT workflow of type logs:dataMaskingExpression. This file can contain an array of logs:dataMaskingExpression MELT workflows.

  2. Add the new MELT workflow(s) to your solution:

    1. Make the following changes to your solution manifest file (<your-solution-name>/manifest.json):

      1. In dependencies, add logs.
      2. In objects, add this snippet:
      {
    "type": "logs:dataMaskingExpression",
    "objectsFile": "logs/objects/masking-expression.json"
}

    2. Validate manifest.json with the command fsoc solution validate.

Create a Data Masking Rule

  1. In a new file, <your-solution-name>/logs/objects/masking-rule.json, define a MELT workflow of type logs:dataMaskingRuleV1. This file can contain an array of logs:dataMaskingRuleV1 MELT workflows.

  2. Add the new logs:dataMaskingRule object to your solution:

    1. Make the following changes to your solution manifest file (<your-solution-name>/manifest.json):

      1. In dependencies, add logs.
      2. In objects, add this snippet:
      {
    "type": "logs:dataMaskingRule",
    "objectsFile": "logs/objects/masking-rule.json"
}

    2. Validate manifest.json with the command fsoc solution validate.

Enable Data Masking

You enable or disable masking rules individually in each logs:dataMaskingRule MELT workflow by setting its isEnabled attribute to true (enable) or false (disable).