Hello there Graylog Community, I want to mask the username but it does not work and only return the original message response.
I have this Rule source:
rule "mask_sensitive_fields"
when
has_field("message")
then
let message_str = to_string($message.message);
// Define regex patterns for fields to mask
let username_pattern = "\"username\":\"([^\"]*)\"";
// Mask username and mobile values in the message string
let message_masked_username = regex_replace(username_pattern, message_str, "\"username\":\"*****\"", true);
// Update the message field with the masked message
set_field("message", message_masked_username);
end
and this is my sample Rule Simulation:
[2024-07-17 03:02:53] dev.INFO: [library] Response sent [abc123] {"headers":{"cache-control":"no-cache, private","date":"Tue, 17 Jul 2024 03:02:53 GMT","content-type":"application/json","vary":"Origin"},"status_code":200,"response":"{\"user_id\":\"12\",\"username\":\"user123\",\"status\":\"active\""}
Please help, I’m stuck on this, thanks.