In an attempt to mask some secrets from my container logs being streamed to grafana using promtail container.
I have been struggling to get the replace directive in my grafana config to work with this. Can anyone please help?
This is what I have as part of my config ( multiple JWT variations I have tried but failed. I still see jwt which is passed as a query param in one of the requests on grafana
- job_name: containers
pipeline_stages:- json:
expressions:
output: log
stream: stream
attrs: - json:
expressions:
tag:
source: attrs - regex:
expression: ‘(?P<container_name>(?:[^|]*[^|]))’
source: tag - timestamp:
format: RFC3339Nano
source: time - labels:
tag:
stream:
container_name: - replace:
expression: ‘token=(eyJ.*)’
replace: ‘masked’ - replace:
expression: ‘eyJ[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+’
replace: ‘[JWT_MASKED]’ - replace:
expression: ‘(eyJ[a-zA-Z0-9-]+.[a-zA-Z0-9-]+.[a-zA-Z0-9-_]+)’
replace: ‘[JWT2_Masked]’ - replace:
expression: ‘(eyJ.*)’
replace: ‘[JWT3_Masked]’ - replace:
expression: ‘(?|&)(state|next|id_token|access_token|refresh_token)=[^&\s]+’
replace: ‘${1}${2}=[MASKED]’ - replace:
expression: ‘“Authorization”: “Bearer (eyJ[^”]+)"’
replace: ‘“Authorization”: “Bearer [JWT4_Masked]”’ - replace:
expression: ‘(/.*[^/\s:@]{3,20}:)(:?[^/\s:@]{3,20})(@.{1,100}[^’‘\s])’
replace: ‘[Password_In_Path_Masked]’ - output:
source: output
static_configs:- targets:
- localhost
- labels:
container_name:
job: containerlogs
path: /var/lib/docker/containers//-json.log
team: ${GRAFANA_TEAM}
- targets:
- json: