rsyslog

The rocket-fast system for log processing

Howto anonymize messages that go to specific files

Rsyslog’s mmanon module is used to anonymize data. It is important to keep in you mind that mmanon actually modifies the message. So, as stated in the module documentation, the original, non-anonymized message can no longer be obtained once mmanon has been applied (except, of course, if the message was stored to a variable before calling mmanon). So it is important to structure your configuration file processing flow that all actions that need the anonymized data are called before mmanon – and all others after it. An alternative, and this is what we will do here, is to make sure a common filter is used for both calling mmanon and the action that requires the anonymization. Let’s start with a fairly standard and small configuration:

 $ModLoad imuxsock auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none /var/log/syslog daemon.* /var/log/daemon.log kern.* /var/log/kern.log mail.*
 /var/log/mail.log lpr.* /var/log/lpr.log user.* /var/log/user.log

We want to anonymize entries in the mail log file. This means that we must anonymize the message before the mail log is written. This requires mmanon to be called before writing mail.log. As we do not want to anonymize the other files, we need to make sure that it is only called for messages of said priority. The obvious solution thus is:

 $ModLoad imuxsock $ModLoad mmanon auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none /var/log/syslog daemon.* /var/log/daemon.log kern.* /var/log/kern.log mail.* action(type="mmanon") mail.* /var/log/mail.log lpr.* /var/log/lpr.log user.* /var/log/user.log

Please note that while this is an obvious solution, it is slightly less optimal from a performance point of view. This is because the filter (mail.*) is applied twice. So it is more optimal to use rsyslog exectuion blocks:

 $ModLoad imuxsock $ModLoad mmanon auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none /var/log/syslog daemon.* /var/log/daemon.log kern.* /var/log/kern.log mail.* { action(type="mmanon") /var/log/mail.log } lpr.* /var/log/lpr.log user.* /var/log/user.log

Note that this is just one of the many ways you could reach the desired result.

Posted in faq |