I have it double escaped already but its not working.
I am new to writing these rules so this is the only thing I can come up with.
also this gives an invalid expression
(?<=SocialSecurityNumber\“\:\”)(\d{9})
Huh? Can’t read that properly… oh wait… let me just use the </> tool… looks like this:
(?<=SocialSecurityNumber\"\:\")(\d{9})
I think you meant the original I posted with all double quotes:
(?<=SocialSecurityNumber\\"\\:\\")(\\d{9})
which, yea, when I plug it in to the editor it gets all wonky. Looks like you can resolve that by either single escaping the quotes in the regex or by triple escaping. I would try the triple escape first. (Originally the big thing missing was the escape on the colon :)
(?<=SocialSecurityNumber\\\"\\:\\\")(\\d{9})
Don’t know the reason the code wants all that escaping, probably has to do with the pre-parser that lets you know your code doesn’t work…
yea your right the 3 dashes gives no errors.
butt my message still does not get masked ;/
repost your current rule? (Use the </> markup!!)
You could add a debug() statement to see if it’s getting into the rule…
...
let ssn = regex_replace("(?<=SocialSecurityNumber\\\"\\:\\\")(\\d{9})", to_string($message.message),"***");
// use $ tail -f /var/log/graylog-server/server.log to watch for the results of the below debug message
//
debug(concat("============ ssn: ",to_string(ssn)));
set_field("message", ssn);
...
this is how the current rule looks like.
I am simulating the process and when I change it to only mask 9 digits it works fine. but trying to only change the 9 digits after socialSecurityNumber it does not work
rule "Mask SocialSecurityNumber"
when
has_field("message") AND contains(to_string($message.message), "SocialSecurityNumber")
then
let ssn = regex_replace("(?<=SocialSecurityNumber\\\"\\:\\\")(\\d{9})", to_string($message.message),"***");
set_field("message", ssn);
end
Just tested the rule - worked for me… with triple escape AND single escape on those quotes in the regex. Something else is going on…
Did the debug() show you were getting into the rule? On a side note, you don’t have to check for field message first, the second contains() is sufficient.
when
contains(to_string($message.message), "SocialSecurityNumber")
then
double check you rule to make sure you haven’t accidentally copied in quotes like ” from the forum… those won’t work, they have to be "
Debug() dumps to the Graylog log file (it’s commented out but in the example rule I set up…) tail it to see the info in there…
// use $ tail -f /var/log/graylog-server/server.log to watch for the results of the below debug message
//
debug(concat("============ ssn: ",to_string(ssn)));
yea but nothing happened to the log when I added the debug
oh wow… ok it works fine when I run an actual scenario but not in the simulator.
you guys are amazing thank you soso much. have an amazing weekend!
2 Likes
Great!! I Never used the simulator… maybe that’s a good thing… 
Glad it’s working!
1 Like
The simulator has some quirks. Nuff said… 
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.