SumoLogic · sumoanema · Oct 24, 2024 · Oct 24, 2024 · Oct 24, 2024 · Oct 25, 2024
@@ -0,0 +1,155 @@
+---
+id: mask-rules-windows
+title: Mask Rules for Windows Source Template (Beta)
+sidebar_label: Mask Rules for Windows
+description: Create a mask rule to replace an expression with a mask string.
+---
+<head>
+  <meta name="robots" content="noindex" />
+</head>
+
+<p><a href="/docs/beta"><span className="beta">Beta</span></a></p>
+
+:::note
+This document only support masking logs for Windows source template. Refer to [Mask Rules](mask-rules.md) to mask logs for other source template.
+:::
+
+A mask rule is a type of processing rule that hides irrelevant or sensitive information from logs before they are ingested. When you create a mask rule, the selected key will have its value matched against a regex pattern, which will then be replaced with a mask string before being sent to Sumo Logic. You can provide a custom mask string or use the default string, `"#####"`.
+
+Ingestion volume is calculated after applying the mask filter. If masking reduces the log size, the smaller size will be considered against the ingestion limits. Masking is an effective method for reducing overall ingestion volume.
+
+To mask specific fields in the Windows Event Log, the following inputs are required:
+- **Key**. This should point to the key in the Windows Event Log for which the value needs to be masked.  This key can be nested, with each level separated by a dot(.). For example, `provider.guid`.
+- **Regex**. This identifies the part of the string value that needs to be masked.
+- ** Replacement **. This is to get the string that will be substituted in place of the string that was selected through the regex expression.
+
+:::important
+Any masking expression should be tested and verified with a sample source file before applying it to your production logs.
+:::
+
+For example, to mask numbers inside `guid` under `provider` field from this log:
+
+```
+{
+  "record_id": 163054,
+  "channel": "Security",
+  "event_data": {
+    "TargetDomainName": "EC2AMAZ-V57A85N",
+    "SubjectUserSid": "S-1-5-21-2435622068-2303779566-2814161656-500",
+    "CallerProcessId": "0x1768",
+    "TargetUserName": "Guest",
+    "CallerProcessName": "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe",
+    "SubjectUserName": "Administrator",
+    "TargetSid": "S-1-5-21-2435622068-2303779566-2814161656-501",
+    "SubjectLogonId": "0x71aef",
+    "SubjectDomainName": "EC2AMAZ-V57A85N"
+  },
+  "task": "User Account Management",
+  "provider": {
+    "name": "Microsoft-Windows-Security-Auditing",
+    "guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
+    "event_source": ""
+  },
+  "system_time": "2023-07-14T07:58:59.9575956Z",
+  "computer": "EC2AMAZ-V57A85N",
+  "opcode": "Info",
+  "keywords": [
+    "Audit Success"
+  ],
+  "details": {
+    "Subject": {
+      "Security ID": "S-1-5-21-2435622068-2303779566-2814161656-500",
+      "Account Name": "Administrator",
+      "Account Domain": "EC2AMAZ-V57A85N",
+      "Logon ID": "0x71AEF"
+    },
+    "User": {
+      "Security ID": "S-1-5-21-2435622068-2303779566-2814161656-501",
+      "Account Name": "Guest",
+      "Account Domain": "EC2AMAZ-V57A85N"
+    },
+    "Process Information": {
+      "Process ID": "0x1768",
+      "Process Name": "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe"
+    }
+  },
+  "message": "A user's local group membership was enumerated.",
+  "event_id": {
+    "qualifiers": 0,
+    "id": 4798
+  },
+  "level": "Information"
+}
+```
+
+You could use the following masking expression input:
+1. Key as `provider.guid`.
+1. Regex as `[-a-z0-9]+`.
+1. Replacement as `######`.
+
+Using the above masking options would provide the following result:
+
+```
+{
+  "record_id": 163054,
+  "channel": "Security",
+  "event_data": {
+    "TargetDomainName": "EC2AMAZ-V57A85N",
+    "SubjectUserSid": "S-1-5-21-2435622068-2303779566-2814161656-500",
+    "CallerProcessId": "0x1768",
+    "TargetUserName": "Guest",
+    "CallerProcessName": "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe",
+    "SubjectUserName": "Administrator",
+    "TargetSid": "S-1-5-21-2435622068-2303779566-2814161656-501",
+    "SubjectLogonId": "0x71aef",
+    "SubjectDomainName": "EC2AMAZ-V57A85N"
+  },
+  "task": "User Account Management",
+  "provider": {
+    "name": "Microsoft-Windows-Security-Auditing",
+    "guid": "{######}",
+    "event_source": ""
+  },
+  "system_time": "2023-07-14T07:58:59.9575956Z",
+  "computer": "EC2AMAZ-V57A85N",
+  "opcode": "Info",
+  "keywords": [
+    "Audit Success"
+  ],
+  "details": {
+    "Subject": {
+      "Security ID": "S-1-5-21-2435622068-2303779566-2814161656-500",
+      "Account Name": "Administrator",
+      "Account Domain": "EC2AMAZ-V57A85N",
+      "Logon ID": "0x71AEF"
+    },
+    "User": {
+      "Security ID": "S-1-5-21-2435622068-2303779566-2814161656-501",
+      "Account Name": "Guest",
+      "Account Domain": "EC2AMAZ-V57A85N"
+    },
+    "Process Information": {
+      "Process ID": "0x1768",
+      "Process Name": "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe"
+    }
+  },
+  "message": "A user's local group membership was enumerated.",
+  "event_id": {
+    "qualifiers": 0,
+    "id": 4798
+  },
+  "level": "Information"
+}
+```
+
+:::note 
+- For masking, we use the [replace_pattern](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/ottl/ottlfuncs/README.md#replace_pattern) OTTL function. In this function:
+   - $ must be escaped as $$ to bypass environment variable substitution logic.
+   - To input a literal $, use $$$.
+- When masking strings containing special characters like double quotes (`"`) and backslashes (`\`), these characters will be escaped by a backslash when masking the logs.
+:::
+
+## Limitations
+
+- You can *only* mask the data which is a string in the Windows event log JSON.
+- You cannot mask a value which is nested inside any array.
@@ -10,6 +10,10 @@ description: Create a mask rule to replace an expression with a mask string.
 
 <p><a href="/docs/beta"><span className="beta">Beta</span></a></p>
 
+:::note
+This document do not support masking logs for Windows source template. Refer to [Mask Rules for Windows Source Template](mask-rules-windows.md) to mask logs for Windows source template.
+:::
+
 A mask rule is a type of processing rule that hides irrelevant or sensitive information from logs before ingestion. When you create a mask rule, whatever expression you choose to mask will be replaced with a mask string before it is sent to Sumo Logic. You can provide a mask string, or use the default `"#####"`.
 
 Ingestion volume is calculated after applying the mask filter. If the mask reduces the size of the log, the smaller size will be measured against ingestion limits. Masking is a good method for reducing overall ingestion volume.

@@ -17,14 +17,14 @@ import TabItem from '@theme/TabItem';
 
 <img src={useBaseUrl('img/send-data/otel-color.svg')} alt="Thumbnail icon" width="30"/><img src={useBaseUrl('img/integrations/microsoft-azure/windows.png')} alt="Thumbnail icon" width="30"/>
 
-The Windows source template creates an OpenTelemetry configuration that can be pushed to a remotely managed OpenTelemetry collector (abbreviated as otelcol). By creating this source template and pushing the config to the appropriate OpenTelemetry agent, you can ensure collection of windows event log and metrics of Windows to Sumo Logic.
+The Windows source template creates an OpenTelemetry configuration that can be pushed to a remotely managed OpenTelemetry collector (abbreviated as otelcol). By creating this source template and pushing the config to the appropriate OpenTelemetry agent, you can ensure collection of Windows event log and metrics of Windows to Sumo Logic.
 
 ## Fields creation in Sumo Logic for Windows
 
-If not already present, the following [Fields](/docs/manage/fields/) are created as part of source template creation.
+If not already present, the following [fields](/docs/manage/fields/) are created as part of source template creation.
 
 - **`sumo.datasource`**. Fixed value of **windows**.
-- **`deployment.environment`** User configured field at the time of collector installation. This identifies the environment where the Windows system resides. For example: `dev`, `prod`, or `qa`.
+- **`deployment.environment`**. User configured field at the time of collector installation. This identifies the environment where the Windows system resides. For example: `dev`, `prod`, or `qa`.
 - **`host.group`**. This is a collector-level field that is user configured at the time of collector installation. It identifies the Windows host group.
 - **`host.name`**. This is tagged through the resourcedetection processor. It holds the value of the host name where the OTel collector is installed.
 
@@ -45,27 +45,27 @@ import CollectorInstallation from '../../../../../reuse/apps/opentelemetry/colle
 
 ### Step 2: Configure the source template
 
-In this step, you will configure the yaml required for Windows Collection. Below are the inputs required for configuration:
+In this step, you will configure the YAML required for Windows collection. Below are the inputs required for configuration:
 
 - **Name**. Name of the source template.
 - **Description**. Description for the source template.
 
 #### Logs Collection
-- **Fields/Metadata**. You can provide any customer fields to be tagged with the data collected. By default, sumo tags `_sourceCategory` with the value otel/windows.
-- **Windows Event**. In this section you can select choose among the most widely used windows event channel for which windows event log collection will be enabled. You can also provide **Custom Event Channels** providing any customer event channel for which event logs are to be collected.
+- **Fields/Metadata**. You can provide any customer fields to be tagged with the data collected. By default, Sumo Logic tags `_sourceCategory` with the value `otel/windows`.
+- **Windows Event**. In this section you can select choose among the most widely used Windows event channel for which Windows event log collection will be enabled. You can also provide **Custom Event Channels** providing any customer event channel for which event logs are to be collected.
 - **Forward to SIEM**. Check the checkbox to forward your data to [Cloud SIEM](/docs/cse).
 
 #### Metrics Collection
 - **Metrics**. Select the metric scrappers you want to enable. By default, metric collection for CPU, memory, disk, load, file system, network and paging are enabled, and process metric collection is disabled.
 
-##### Enable process metric collection (Optional)
+##### Enable process metric collection (optional)
 
 import ProcMetrics from '../../../../../reuse/apps/opentelemetry/process-metric-collection.md';
 
 <ProcMetrics/>
 
 - **Scan Interval**. The frequency at which the source is scanned.
-- **Processing Rules**.  You can add processing rules for logs/metrics collected. To learn more, refer to [Processing Rules](../../processing-rules/index.md).
+- **Processing Rules**.  You can add processing rules for logs/metrics collected. To learn more, refer to [Processing Rules](/docs/send-data/opentelemetry-collector/remote-management/processing-rules/). For masking windows event logs,  refer to [Mask Rules for Windows Source Template](/docs/send-data/opentelemetry-collector/remote-management/processing-rules/mask-rules-windows). 
 
 ### Step 3: Push the source template to the desired remotely managed collectors
 
@@ -74,5 +74,5 @@ import DataConfiguration from '../../../../../reuse/apps/opentelemetry/data-conf
 <DataConfiguration/>
 
 :::info
-Refer to the [changelog](changelog.md) for information on periodic updates to this source template.
+Refer to the [changelog](/docs/send-data/opentelemetry-collector/remote-management/source-templates/windows/changelog/) for information on periodic updates to this source template.
 :::