LogoLogo
Log in|Playground
  • Welcome
    • Introduction
    • FAQ
  • Capabilities
    • Log Management
    • Infrastructure Monitoring
    • Application Performance Monitoring (APM)
      • Application Metrics
      • Traces
      • Supported Technologies
    • Real User Monitoring (RUM)
  • Getting Started
    • Requirements
      • Kubernetes requirements
      • Kernel requirements for eBPF sensor
      • CPU architectures
      • ClickHouse resources
    • Installation & updating
    • Connect Linux hosts
    • Connect RUM
    • 5 quick steps to get you started
    • groundcover MCP
      • Configure groundcover's MCP Server
      • Getting-started Prompts
      • Real-world Use Cases
  • Use groundcover
    • Monitors
      • Create a new Monitor
      • Issues page
      • Monitor List page
      • Silences page
      • Monitor Catalog page
      • Monitor YAML structure
      • Embedded Grafana Alerts
        • Create a Grafana alert
    • Dashboards
      • Create a dashboard
      • Embedded Grafana Dashboards
        • Create a Grafana dashboard
        • Build alerts & dashboards with Grafana Terraform provider
        • Using groundcover datasources in a Self-hosted Grafana
    • Insights
    • Explore & Monitors query builder
    • Workflows
      • Create a new Workflow
      • Workflow Examples
      • Alert Structure
    • Search & Filter
    • Saved Views
    • Issues
    • Role-Based Access Control (RBAC)
    • Remote Access & APIs
      • Service Accounts
      • API Keys
      • APIs
      • Ingestion Keys
      • Datasource API Keys
      • Grafana Service Account Token
    • groundcover Terraform Provider
    • Log Patterns
    • Drilldown
    • Scraping custom metrics
      • Operator based metrics
      • kube-state-metrics
      • cadvisor metrics
    • Backup & Restore Metrics
    • Metrics & Labels
    • Add custom environment labels
    • Configuring Pipelines
      • Writing Remap Transforms
      • Logs Pipeline Examples
      • Traces Pipeline Examples
      • Logs to Events Pipeline Examples
      • Logs/Traces Sensitive Data Obfuscation
      • Sensitive Data Obfuscation using OTTL
      • Log Filtering using OTTL
    • Querying your groundcover data
      • Query your logs
        • Example queries
        • Logs alerting
      • Query your metrics
      • Using KEDA autoscaler with groundcover
    • Fleet Manager
  • Log Parsing with OpenTelemetry Pipelines
  • Log and Trace Correlation
  • RUM
  • Customization
    • Customize deployment
      • Agents in host network mode
      • API Key Secret
      • Argo CD
      • On-premise deployment
      • Quay.io registry
      • Configuring sensor deployment coverage
      • Enabling SSL Tracing in Java Applications
    • Customize usage
      • Filtering Kubernetes entities
      • Custom data retention
      • Sensitive data obfuscation
      • Custom storage
      • Custom logs collection
      • Custom labels and annotations
        • Enrich logs and traces with pod labels & annotations
        • Enrich metrics with node labels
      • Disable tracing for specific protocols
      • Tuning resources
      • Controlling the eBPF sampling mechanism
  • Integrations
    • Overview
    • Workflow Integrations
      • Slack Webhook Integration
      • Opsgenie Integration
      • Webhook Integration
        • incident.io
      • PagerDuty Integration
      • Jira Webhook Integration
      • Send groundcover Alerts to Email via Zapier
    • Data sources
      • OpenTelemetry
        • Traces & Logs
        • Metrics
      • Istio
      • AWS
        • Ingest CloudWatch Metrics
        • Ingest CloudWatch Logs
        • Ingest Logs Stored on S3
        • Integrate CloudWatch Grafana Datasource
      • GCP
        • Ingest Google Cloud Monitoring Metrics
        • Stream Logs using Pub/Sub
        • Integrate Google Cloud Monitoring Grafana Datasource
      • Azure
        • Ingest Azure Monitor Metrics
      • DataDog
        • Traces
        • Metrics
      • FluentBit
      • Fluentd
      • JSON Logs
    • 3rd-party metrics
      • ActiveMQ
      • Aerospike
      • Cassandra
      • CloudFlare
      • Consul
      • CoreDNS
      • Etcd
      • HAProxy
      • Harbor
      • JMeter
      • K6
      • Loki
      • Nginx
      • Pi-hole
      • Postfix
      • RabbitMQ
      • Redpanda
      • SNMP
      • Solr
      • Tomcat
      • Traefik
      • Varnish
      • Vertica
      • Zabbix
    • Source control (Gitlab/Github)
  • Architecture
    • Overview
    • inCloud Managed
      • Setup inCloud Managed with AWS
        • AWS PrivateLink Setup
        • EKS add-on
      • Setup inCloud Managed with GCP
      • Setup inCloud Managed with Azure
      • High Availability
      • Disaster Recovery
      • Ingestion Endpoints
      • Deploying in Sensor-Only mode
    • Security considerations
      • Okta SSO - onboarding
    • Service endpoints inside the cluster
  • Product Updates
    • What's new?
    • Earlier updates
      • 2025
        • Mar 2025
        • Feb 2025
        • Jan 2025
      • 2024
        • Dec 2024
        • Nov 2024
        • Oct 2024
        • Sep 2024
        • Aug 2024
        • July 2024
        • May 2024
        • Apr 2024
        • Mar 2024
        • Feb 2024
        • Jan 2024
      • 2023
        • Dec 2023
        • Nov 2023
        • Oct 2023
Powered by GitBook
On this page
  • Configuration
  • Using CLI on New or Existing Installation
  • Using Helm on New Installation
  • Sensitive headers obfuscation
Export as PDF
  1. Customization
  2. Customize usage

Sensitive data obfuscation

Last updated 8 months ago

As any application monitoring system, the data collected by groundcover is by nature sensitive and contains payloads of full requests and queries. Raw traces can go a long way in a troubleshooting process, but you can choose to obfuscate their payload.

By default groundcover does not obfuscate payloads. However, it will obfuscate sensitive HTTP and gRPC headers - see for more information.

Configuration

Obfuscation is granularly defined separately for each protocol, using the following names:

  • httphandler

  • grpchandler

  • redishandler

  • sqlhandler

    • This applies both for MySQL and PostgreSQL

  • mongodbhandler

  • amqphandler

Data obfuscation can be configured in two ways: key-value and unstructured.

Key-Value obfuscation

This method will automatically identify key-value structures such as JSON and query params, and for those it will perform obfuscation based on a defined set of keys.

The configuration consists of the following fields:

  • enabled - turns this obfuscator on and off. Default: false

  • mode - What should be done with values matching the specified keys. Possible modes are:

    • KeepSpecificValues - Obfuscate all values except for keys specified in specificKeys

    • ObfuscateSpecificValues - Keep all values and obfuscate only values for keys specified in specificKeys

  • caseSensitive - are the keys case sensitive. Default: False

  • specificKeys - a list of comma separated strings. Example:

            specificKeys: ["keep-me", "keep-me-too"]

If mode is not specified, the default behavior of this obfuscator is to obfuscate all keys, equivalent to:

  • mode: KeepSpecificValues

  • specificKeys: []

Obfuscation for nested JSON structures is based on the inner keys within the nested JSON objects. An example can be found at Obfuscation Examples

Below is an example of using the key-value configuration with different settings:

agent:
  sensor:
    httphandler:
      obfuscationConfig:
        keyValueConfig: 
          enabled: true
          mode: "KeepSpecificValues"
          specificKeys: ["keep-me"]
    mongodbhandler:
      obfuscationConfig:
        keyValueConfig: 
          enabled: true
          mode: "ObfuscateSpecificValues"
          caseSensitive: true # keys will be case sensitive
          specificKeys: ["obfuscate-me"]

Unstructured obfuscation

This method will obfucsate "free text" without any predefined rules. It is meant as a way to make sure all data is obfuscated regardless of its contents.

The configuration exists of the following fields:

  • Enabled - Turns this obfuscator on and off. Default: false

Below is an example of turning on the unstructured obfuscator:

agent:
  sensor:
    httphandler:
      obfuscationConfig:
        unstructuredConfig: 
          enabled: true

Combining the obfuscators

It's perfectly fine to use both the key-value and unstructured obfuscators together! When this is set, the key-value method will be executed first, and only if the structure isn't key-value, it will proceed to the unstructured method.

For example, let's look at a configuration for turning both obfuscators on:

agent:
  sensor:
    httphandler:
      obfuscationConfig:
        keyValueConfig: 
          enabled: true
          mode: "ObfuscateSpecificValues"
          specificKeys: ["key"]
        unstructuredConfig:
          enabled: true

Obfuscation Examples

  • JSON, {"key": "value"}

    • {"key": "?"}

  • JSON with array, {"key": [1,2,3]}

    • {"key": ["?", "?", "?"]}

  • JSON with nested keys, {"root": {"sub": {"key": "value"}}}

    • {"root": {"sub": {"key": "?"}}}

  • key=value maps:

    • key=?

  • Plain text plain text:

    • p**** ****

Using CLI on New or Existing Installation

After you prepared your desired values.yaml, apply them using:

groundcover deploy --values values.yaml

Using Helm on New Installation

helm upgrade \
    groundcover \
    groundcover/groundcover \
    -n groundcover \
    -i \
    --set global.groundcover_token=<api-key>,clusterId=my_cluster
    --values values.yaml

Using Helm on Existing Installation

helm upgrade \
    groundcover \
    groundcover/groundcover \
    -n groundcover \
    --reuse-values \
    --values values.yaml

Sensitive headers obfuscation

groundcover will obfuscate sensitive HTTP and gRPC headers by default so that they are not shown in traces. This behavior is customizable using the same key value config as above.

The default values for the headers obfuscation are:

agent:
  sensor:
    sensitiveHeadersObfuscationConfig:
      enabled: true
      mode: "ObfuscateSpecificValues"
      specificKeys: ["Authorization", "Proxy-Authorization", "X-Amz-Security-Token", "X-Amz-Credential"]

According to the HTTP RFC, headers are case insensitive by nature. Because of that, the headers obfuscation will always be case insensitive and can't be configured otherwise.

Truncated data: if data has been truncated, it will not be obfuscated and will show scrubbed as the data. You can change the truncation size limits if you need to. Want to change your data truncation size limits? .

more on getting api-key, see:

below
Contact us on slack
Using Helm