Sensitive Data Obfuscation using OTTL

Overview

groundcover leverages OTTL to allow custom log transformations. This flexibility lets you apply rules to either mask or remove sensitive data as it flows through your pipelines. By integrating data obfuscation directly into your log processing, you maintain privacy and meet compliance requirements while still retaining the necessary operational details.

Obfuscating Sensitive Data with OTTL

Sensitive data obfuscation in groundcover can be implemented using one of two primary approaches:

• Using replace_pattern: Replace parts of a string with a masking token (e.g., replacing email characters with asterisks).

• Using delete_key: Remove fields that contain sensitive data entirely if they’re not required for downstream processing.

The choice depends on whether you need to preserve the field (in a masked format) or remove it for security.

Required Attributes

When defining an OTTL pipeline for obfuscation, ensure you include these key fields in your rule configuration:

• statements- List of transformation steps.

• conditions - Logic for when the obfuscation rule should trigger.

• statementsErrorMode – How to handle errors (e.g., skip, fail).

• conditionLogicOperator – Used when you define multiple conditions (and, or).

Each rule should have a unique ruleName.

Examples

Below is an example structure of an OTTL rule designed for sensitive data obfuscation:

ottlRules:
  - ruleName: "mask_email"
    conditions:
      - 'workload == "groundcover"'
      - 'attributes["email"] != ""'
    statements:
      - 'replace_pattern(attributes["email"], "(.{2}).+(@.*)", "$1****$2")'
  - ruleName: "obfuscate_credit_card"
    conditions:
      - 'container_name == "proxy"'
    statements:
      - 'replace_pattern(body, "(credit card:)[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}", "$1****-****-****-****")'
  - ruleName: "remove_api_key"
    conditions:
      - 'workload == "BYOC"'
      - 'attributes["api_key"] != ""'
    statements:
      - 'delete_key(attributes, "api_key")'

Explanation

mask_email:

• Condition: Checks if an email field exists in the log.

• Statement: Uses replace_pattern to retain the first two characters and the domain while replacing the rest with asterisks.

remove_credit_card:

• Condition: Checks for proxy container

• Statement: Uses replace pattern to obfuscate the credit card number

remove_api_key:

• Condition: Checks if an api_key field exists in the log.

• Statement: Removes the api_key field.