anonymize

edit

We recommend that you use the fingerprint filter plugin instead of anonymize.

Anonymize fields by replacing values with a consistent hash.

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

anonymize {
    algorithm => ...
    fields => ...
    key => ...
}

Available configuration options

edit
Setting Input type Required Default value

add_field

hash

No

{}

add_tag

array

No

[]

algorithm

string, one of ["SHA1", "SHA256", "SHA384", "SHA512", "MD5", "MURMUR3", "IPV4_NETWORK"]

Yes

"SHA1"

fields

array

Yes

key

string

Yes

periodic_flush

boolean

No

false

remove_field

array

No

[]

remove_tag

array

No

[]

Details

edit

 

add_field

edit
  • Value type is hash
  • Default value is {}

If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the %{field}.

Example:

    filter {
      anonymize {
        add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
      }
    }
    # You can also add multiple fields at once:
    filter {
      anonymize {
        add_field => {
          "foo_%{somefield}" => "Hello world, from %{host}"
          "new_field" => "new_static_value"
        }
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add field foo_hello if it is present, with the value above and the %{host} piece replaced with that value from the event. The second example would also add a hardcoded field.

add_tag

edit
  • Value type is array
  • Default value is []

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      anonymize {
        add_tag => [ "foo_%{somefield}" ]
      }
    }
    # You can also add multiple tags at once:
    filter {
      anonymize {
        add_tag => [ "foo_%{somefield}", "taggedy_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add a tag foo_hello (and the second example would of course add a taggedy_tag tag).

algorithm

edit
  • This is a required setting.
  • Value can be any of: SHA1, SHA256, SHA384, SHA512, MD5, MURMUR3, IPV4_NETWORK
  • Default value is "SHA1"

digest/hash type

fields

edit
  • This is a required setting.
  • Value type is array
  • There is no default value for this setting.

The fields to be anonymized

key

edit
  • This is a required setting.
  • Value type is string
  • There is no default value for this setting.

Hashing key When using MURMUR3 the key is ignored but must still be set. When using IPV4_NETWORK key is the subnet prefix lentgh

periodic_flush

edit
  • Value type is boolean
  • Default value is false

Call the filter flush method at regular interval. Optional.

remove_field

edit
  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field}

Example:

    filter {
      anonymize {
        remove_field => [ "foo_%{somefield}" ]
      }
    }
    # You can also remove multiple fields at once:
    filter {
      anonymize {
        remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the field with name foo_hello if it is present. The second example would remove an additional, non-dynamic field.

remove_tag

edit
  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      anonymize {
        remove_tag => [ "foo_%{somefield}" ]
      }
    }
    # You can also remove multiple tags at once:
    filter {
      anonymize {
        remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the tag foo_hello if it is present. The second example would remove a sad, unwanted tag as well.