Control data privacy with New Relic log obfuscation options

A new, simple way to control sensitive information without lengthy manual configurations

Published 3 min read

The New Relic log management feature helps you ensure data privacy and makes it easy to follow your organization's log security guidelines with new obfuscation options.

Data obfuscation is a methodology used to hide all or parts of a data record to protect sensitive log data such as personally identifiable information (PII), access tokens, or any other private or regulated data. 

Our log management service automatically masks patterns for credit cards and Social Security numbers. With these new obfuscation options, you can use regular expressions and create custom rules to hash or mask confidential data before the information is stored. Using regular expressions (regex) means you won’t need lengthy manual configurations.

Better logs, easy security, and compliance

Our logs in context functionality extends visibility by showing logs alongside metrics to troubleshoot issues faster while including any additional filtering to follow your organization's security guidelines to mask, obfuscate, or prevent sending any sensitive data all without the need for a lengthy manual process or custom configurations from your teams.

Here are a few examples of private data you might want to obscure:

  • Personally identifiable information (PII):  information like Social Security numbers, combinations of data, like first name and date of birth or last name and zip code, or other user-generated data that is considered confidential.
  • Protected health information (PHI): Health data, such as medical records.
  • Financial data, like credit card numbers.
  • Passwords.
  • IP addresses may be considered sensitive, especially when in combination with PII.

Note that this is not an exhaustive list. Be sure to follow your organization's security guidelines to see what log data you may be required to protect.

Getting started with obfuscation rules

To prevent sending PII, PHI, or any other data that needs to be secured, you can choose one of two methods:

  • Masking is one-way, permanent obfuscation of the data. The data will be obscured and replaced with x’s (such as XXXX, instead of your data). Once this is done, there is no way to undo it or recover the original string.
  • Hashing is two-way obfuscation, where the data is hidden by using a Secure Hash Algorithm 512 (SHA-256) string. A hashing tool in the UI allows customers to look up their SHA-256 by entering the original text. The user can then search for that SHA-256 string in the logs UI.

Create an obfuscation expression

Define regular expressions to specify which data to hide. Use the following options to create an obfuscation expression:

  1. Go to one.newrelic.com > Logs and from the left navigation, select Obfuscation.
  2. Select Create regex.

Enter a name for your new obfuscation rule and a regular expression matching the sensitive data you want to capture. Use RE2 syntax.

Create an obfuscation rule

Hide sensitive data using matching criteria:

  1. Go to one.newrelic.com > Logs and from the left navigation, select Obfuscation.
  2. Select Create obfuscation rule.
  3. Enter a name for your new obfuscation rule and matching criteria (in NRQL format) to capture the target set of logs you want to obfuscate.
  4. Add new actions (the first one is added automatically) to specify the obfuscation expression (regex) to capture each set of attributes and whether to mask or hash them. Multiple attributes can be specified comma-separated. Mask will replace all matching characters with the letter x. If you use mask, you won't be able to query for a particular obfuscated value later. Hash will replace sensitive data with the SHA-256 hash value. If you use hash, you will be able to query them using our hashing tool, provided you know its unhashed value.
  5.  Select Create rule to create and activate your obfuscation rule.

    You’ve now successfully created a rule to match sensitive information before data is stored in NRDB.

Get started with log obfuscation