The New Relic log management feature helps you ensure data privacy and makes it easy to follow your organization's log security guidelines with new obfuscation options.
Data obfuscation is a methodology used to hide all or parts of a data record to protect sensitive log data such as personally identifiable information (PII), access tokens, or any other private or regulated data.
Our log management service automatically masks patterns for credit cards and Social Security numbers. With these new obfuscation options, you can use regular expressions and create custom rules to hash or mask confidential data before the information is stored. Using regular expressions (regex) means you won’t need lengthy manual configurations.
Better logs, easy security, and compliance
Our logs in context functionality extends visibility by showing logs alongside metrics to troubleshoot issues faster while including any additional filtering to follow your organization's security guidelines to mask, obfuscate, or prevent sending any sensitive data all without the need for a lengthy manual process or custom configurations from your teams.
Here are a few examples of private data you might want to obscure:
- Personally identifiable information (PII): information like Social Security numbers, combinations of data, like first name and date of birth or last name and zip code, or other user-generated data that is considered confidential.
- Protected health information (PHI): Health data, such as medical records.
- Financial data, like credit card numbers.
- Passwords.
- IP addresses may be considered sensitive, especially when in combination with PII.
Note that this is not an exhaustive list. Be sure to follow your organization's security guidelines to see what log data you may be required to protect.
Getting started with obfuscation rules
To prevent sending PII, PHI, or any other data that needs to be secured, you can choose one of two methods:
- Masking is one-way, permanent obfuscation of the data. The data will be obscured and replaced with x’s (such as XXXX, instead of your data). Once this is done, there is no way to undo it or recover the original string.
- Hashing is two-way obfuscation, where the data is hidden by using a Secure Hash Algorithm 512 (SHA-256) string. A hashing tool in the UI allows customers to look up their SHA-256 by entering the original text. The user can then search for that SHA-256 string in the logs UI.
Create an obfuscation expression
Define regular expressions to specify which data to hide. Use the following options to create an obfuscation expression:
- Go to one.newrelic.com > Logs and from the left navigation, select Obfuscation.
- Select Create regex.
Enter a name for your new obfuscation rule and a regular expression matching the sensitive data you want to capture. Use RE2 syntax.
Create an obfuscation rule
Hide sensitive data using matching criteria:
- Go to one.newrelic.com > Logs and from the left navigation, select Obfuscation.
- Select Create obfuscation rule.
- Enter a name for your new obfuscation rule and matching criteria (in NRQL format) to capture the target set of logs you want to obfuscate.
- Add new actions (the first one is added automatically) to specify the obfuscation expression (regex) to capture each set of attributes and whether to mask or hash them. Multiple attributes can be specified comma-separated. Mask will replace all matching characters with the letter x. If you use mask, you won't be able to query for a particular obfuscated value later. Hash will replace sensitive data with the SHA-256 hash value. If you use hash, you will be able to query them using our hashing tool, provided you know its unhashed value.
-
Select Create rule to create and activate your obfuscation rule.
You’ve now successfully created a rule to match sensitive information before data is stored in NRDB.
Get started with log obfuscation
Next steps
To begin using the new obfuscation options, log in to your New Relic Data Plus account or sign up for a free account. Your free account offers 100 GB/month of free data ingest, one free full-platform user, and unlimited free basic users.
The views expressed on this blog are those of the author and do not necessarily reflect the views of New Relic. Any solutions offered by the author are environment-specific and not part of the commercial solutions or support offered by New Relic. Please join us exclusively at the Explorers Hub (discuss.newrelic.com) for questions and support related to this blog post. This blog may contain links to content on third-party sites. By providing such links, New Relic does not adopt, guarantee, approve or endorse the information, views or products available on such sites.