| title | metaDescription | freshnessValidatedDate |
|---|---|---|
Log obfuscation: Hash or mask sensitive data in your logs |
How to hash or mask sensitive data in logs you send to New Relic with our log obfuscation UI or API. |
never |
import logsObfuscationCreateExpression from 'images/logs_screenshot-crop_obfuscation-create-expression.webp'
import logsLogObfuscationCreateRule from 'images/logs_screenshot-crop_log-obfuscation-create-rule.webp'
import logsLogObfuscationExpression from 'images/logs_screenshot-crop_log-obfuscation-expression.webp'
With log obfuscation rules, you can prevent certain types of information from being saved in New Relic.
Our log obfuscation feature is available as part of our Data Plus option.
Our service automatically masks number patterns that we identify as likely being sensitive items, such as credit card or Social Security numbers.
If you need additional obfuscation, one option is to adjust the configuration of the log forwarder you use (for example, our infrastructure agent). But an easier option is to use our log obfuscation feature, available with Data Plus. This feature lets you set up log obfuscation rules directly from the log management UI, or via our NerdGraph API, without lengthy manual configuration. You'll define regular expressions matching your sensitive information, and then create rules to obfuscate that data. You can choose either to have sensitive information masked or hashed.
Here are some important terms:
- Obfuscation rules define what logs to apply obfuscation actions to.
- Obfuscation rule actions define what attributes to look at, what text to obfuscate, and how to obfuscate (either by masking or hashing).
- Obfuscation expressions are named regular expressions identifying what text to obfuscate.
- Masking completely removes information, replacing it with
Xcharacters. You cannot search for specific values once this is done. - Hashing hides information. You can use the hashing tool to get the hash of a sensitive value, and then search for logs containing that hash.
The JSON objects displayed in the following example are simplifications of the payloads used by our NerdGraph API. This will help you better correlate the different API operations with their UI equivalent counterparts.
Imagine you have the following log record:
{
"message": "The credit card number 4321-5678-9876-2345 belongs to user user@email.com (born on 01/02/2003) with SSN 123-12-1234",
"creditCardNumber": "4321-5678-9876-2345",
"ssn": "123-12-1234",
"department": "sales",
"serviceName": "loginService"
}This log record contains several sensitive data. Ideally, you would like your log to end up looking like this:
{
"message": "The credit card number 9aa9bc1528859aee1b1df75795f1ebd54beb2f0d26c8a1d4580a71a07189cdd5 belongs to user user@email.com (born on XXXXXXXXXX) with SSN 30e6897f76dc102e32ee1d781c43417d259e586eac15c963d75ab8b5187769da",
"creditCardNumber": "9aa9bc1528859aee1b1df75795f1ebd54beb2f0d26c8a1d4580a71a07189cdd5",
"ssn": "30e6897f76dc102e32ee1d781c43417d259e586eac15c963d75ab8b5187769da",
"department": "sales",
"serviceName": "loginService"
}Here is the basic process you would use to obfuscate the sensitive data in this example.
You decide you want to apply the following obfuscation actions to all the logs coming from that service:* `HASH` the credit card number present in the `message` and `creditCardNumber` attributes.
* `MASK` the birth date present in the `message` attribute.
* `HASH` the Social Security number present in the `message` and `ssn` attributes.
<Collapser id="example-expressions" title="2. How expressions will capture sensitive data"
The first thing you need to do is to define some obfuscation expressions that allow you to capture this sensitive information.
<Callout variant="tip">
The examples below show regular expressions you'd use directly in the UI. Later in this document, we discuss how you could use escaped versions of these regular expressions for [NerdGraph](#expressions-create).
</Callout>
<table>
<thead>
<tr>
<th style={{ width: "200px" }}>
Obfuscation expression
</th>
<th>
Definition
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
Credit card number
</td>
<td>
We need to capture 4 groups of 4 digits separated by hyphens:
```
{
"name": "Credit Card Number",
"regex": "((?:(?:4\d{3})|(?:5[1-5]\d{2})|6(?:011|5[0-9]{2}))(?:-?|\040?)(?:\d{4}(?:-?|\040?)){3}|(?:3[4,7]\d{2})(?:-?|\040?)\d{6}(?:-?|\040?)\d{5})"
}
```
</td>
</tr>
<tr>
<td>
Social Security number
</td>
<td>
We need to capture 3 groups of 3, 2, and 4 digits separated by hyphens:
```
{
"name": "Social Security Number",
"regex": "(\d{3}-\d{2}-\d{4})"
}
```
</td>
</tr>
<tr>
<td>
Born date (`loginService` specific)
</td>
<td>
In this example, the born date is part of the Login service. We define the portion to obfuscate based on the date information in the surrounding words `"(born on 01/02/2003)"`:
```
{
"name": "Born date - loginService specific",
"regex": "born on (.*)\)"
}
```
</td>
</tr>
</tbody>
</table>
Each obfuscation expression defines how to capture some sensitive information out of a string (using a regex) and associates it with some friendly name so that you can easily identify it later.
Obfuscation expressions *can* be reusable; they are totally agnostic to how the log attribute containing the sensitive data is named. For instance, the Social Security expression defined above could be applied to a log attribute named `ssn`, `socialSecurityNumber`, or `socSecNum`.
You can also create non-reusable obfuscation expressions, like `Born date (loginService specific)`, that are tightly coupled to the log attribute's format. For example, you could use whatever comes after `born on` and `before`.
<Callout variant="caution" title="Nested regular expression capture groups not supported">
The main responsibility of this feature is to replace sensitive data with the hash or mask in an easy and performant way.
If you want or need to group different matches inside a capture group, remember to use the non-capture group syntax `(?:{EXPRESSION})` to avoid creating nested capture groups.
For example, avoid `(([A-Z]{12})|([a-z]{6}))` and instead use `((?:[A-Z]{12})|((?:[a-z]{6}))`.
</Callout>
<Collapser id="example-rules" title="3. Which logs will use your rule"
Now that we have defined how to capture our sensitive data, we need to specify which logs need to be obfuscated (the ones of the Login Service) and how (with the obfuscation actions we defined). To achieve this, we define an obfuscation rule.
```json
{
"name": "Obfuscate Login Service Logs",
"filter": "serviceName = 'loginService' AND department = 'sales'",
"actions": [
{
"attributes": ["message", "creditCardNumber"],
"expression": {"name": "Credit Card Number"},
"method": "HASH_SHA256"
},
{
"attributes": ["message"],
"expression": {"name": "Born date - loginService specific"},
"method": "MASK"
},
{
"attributes": ["message", "ssn"],
"expression": {"name": "Social Security Number"},
"method": "HASH_SHA256"
}
]
}
```
This rule contains three main components:
<table>
<thead>
<tr>
<th style={{ width: "200px" }}>
Obfuscation rule component
</th>
<th>
Description
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
Name
</td>
<td>
The name helps to easily identify what the rule does. In this example, this rule defines how to obfuscate the different attributes of the logs coming from the Login Service.
</td>
</tr>
<tr>
<td>
Filter
</td>
<td>
The filter uses NRQL format to tell our system how to identify the target logs coming from the Login Service. This example queries for logs where `serviceName = loginService` and `department = sales`.
</td>
</tr>
<tr>
<td>
Actions
</td>
<td>
Finally, this rule defines the set of obfuscation actions to apply to the logs matching the filter. Each action defines:
* Which previously created obfuscation expression to use to extract the sensitive information from each set of attributes
* Which obfuscation method (`HASH_SHA256` or `MASK`) to be applied to obfuscate this data
Note that when defining obfuscation rules via NerdGraph, you will need to specify the `id` of the obfuscation expressions instead of their names. To make the previous example more readable, we used the obfuscation expression names instead.
</td>
</tr>
</tbody>
</table>
<Collapser id="example-more" title="4. Reusing expressions in other rules"
As a final example, imagine we also needed to obfuscate logs coming from another service named "Checkout Service" that have an attribute `serviceName = checkoutService` as well as a `ccn` attribute that contains credit card information:
```json
{
"message": "Order completed",
"ccn": "4321-5678-9876-2345",
"department": "sales",
"serviceName": "checkoutService"
}
```
To obfuscate the logs from this service, we would only have to define another obfuscation rule targeting these specific logs, and we would simply reuse the previously created `Credit card number` obfuscation expression:
```json
{
"name": "Obfuscate Checkout Service Logs",
"filter": "serviceName = 'checkoutService' AND department = 'sales'",
"actions": [
{
"attributes": ["ccn"],
"expression": {"name": "Credit Card Number"},
"method": "HASH_SHA256"
}
]
}
```
To obfuscate your logs:
-
Study the shape of your logs by identifying patterns of sensitive data that appear in them. For example:
- Do all your logs contain sensitive information? Or can you be more specific (only the logs from service A or region B)?
- What sensitive information do they contain: credit card numbers, driver's license numbers, national IDs, biometrics, other values?
-
Create obfuscation expressions to identify how to extract sensitive data.
-
Define obfuscation rules for each set of logs:
- Define how you will capture them using NRQL.
- Define which obfuscation actions need to be applied to each of them. Ask yourself: Will I need to query my logs using this sensitive information later (consider using
HASH), or do I need to remove this information entirely from my logs (consider usingMASK)?
Obfuscation has per-minute CPU limits. If an account hits these resource limits, logs won't be obfuscated as expected. To check your CPU limits, go to your system Limits page in the Data management UI.
If you exceed the obfuscation per-minute CPU limits and logs cannot be obfuscated or hashed, the attribute the obfuscation rule was applied to will be dropped and replaced with text indicating why the attribute was dropped. For example, if the obfuscation rule is applied to the message field, and the CPU per-minute limit is reached, the resulting log will look like this:
{
...
"message": "<OBFUSCATION> The account is over its obfuscation per-minute limit, attribute dropped",
...
}This is to prevent PII or other sensitive data from being ingested inadvertently.
In addition, the following `NrIntegrationError' will be logged to the account:
{
"category": "RateLimit",
"level": "error",
"limitName": "Log API obfuscation per account per minute",
"message": "You’ve exceeded our limit of per-account obfuscation time per-minute for the Log ingestion pipeline. Please reduce your usage or contact New Relic support.",
"name": "ObfuscationTimeLimitReached",
"newRelicFeature": "Logs",
"rateLimitType": "ObfuscationTimePerMinute",
"timestamp": 1678819264283
}To evaluate how well your obfuscation rules are working and see which ones are being skipped, go to Logs Obfuscation > Health. Obfuscation rules are CPU intensive, so these charts can help you decide which rules are most impacted by any resource limitations.
You can create, read, update, or delete obfuscation expressions by using the New Relic UI or by using NerdGraph, our GraphQL Explorer.
<DNT>**Using the logs UI:**</DNT>
1. Go to <DNT>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Logs**</DNT> and from the left nav, select <DNT>**Obfuscation**</DNT>.
2. Click <DNT>**Create regex**</DNT>.
3. Enter a name for your new obfuscation rule, as well as a regular expression matching the sensitive data you want to capture. Use [RE2 syntax](https://github.com/google/re2/wiki/Syntax).
The following example shows a basic obfuscation expression that will match credit card numbers:
<img
title="Create an obfuscation expression using the logs UI"
alt="Create an obfuscation expression using the logs UI"
src={logsObfuscationCreateExpression}
/>
<DNT>**Using NerdGraph:**</DNT>
Use the `logConfigurationsCreateObfuscationExpression` mutation under `logConfigurations`. Refer to the populated example in GraphiQL as well as the related documentation in [<DNT>**api.newrelic.com/graphiql**</DNT>](https://api.newrelic.com/graphiql#query=mutation%20%7B%0A%20%20logConfigurationsCreateObfuscationExpression%28accountId%3A%201234%2C%20expression%3A%20%7Bname%3A%20%22Credit%20Card%20Number%22%2C%20regex%3A%20%22%28%5C%5Cd%7B4%7D-%5C%5Cd%7B4%7D-%5C%5Cd%7B4%7D-%5C%5Cd%7B4%7D%29%22%2C%20description%3A%20%22Reusable%20expression%20to%20capture%20credit%20card%20numbers%22%7D%29%20%7B%0A%20%20%20%20id%0A%20%20%20%20name%0A%20%20%20%20regex%0A%20%20%20%20description%0A%20%20%20%20createdAt%0A%20%20%20%20createdBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A).
<Callout variant="important">
You must escape regular expressions when using them in NerdGraph. For example: `((?:(?:4\\d{3})|(?:5[1-5]\\d{2})|6(?:011|5[0-9]{2}))(?:-?|\\040?)(?:\\d{4}(?:-?|\\040?)){3}|(?:3[4,7]\\d{2})(?:-?|\\040?)\\d{6}(?:-?|\\040?)\\d{5})`
</Callout>
<Collapser id="expressions-read" title="Read an obfuscation expression"
Use either of these options to query an obfuscation expression:
<DNT>**Using the logs UI:**</DNT>
1. Go to <DNT>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Logs**</DNT> and from the left nav, select <DNT>**Obfuscation**</DNT>.
2. Select the <DNT>**Expressions**</DNT> tab to view all the available obfuscation expressions and their definitions.
<DNT>**Using NerdGraph:**</DNT>
Use the `obfuscationExpressions` fetcher under `actor.account.logConfigurations`. Refer to the populated example in GraphiQL as well as the related documentation in [<DNT>**api.newrelic.com/graphiql**</DNT>](https://api.newrelic.com/graphiql?#query=%7B%0A%20%20actor%20%7B%0A%20%20%20%20account%28id%3A%201234%29%20%7B%0A%20%20%20%20%20%20logConfigurations%20%7B%0A%20%20%20%20%20%20%20%20obfuscationExpressions%20%7B%0A%20%20%20%20%20%20%20%20%20%20id%0A%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20regex%0A%20%20%20%20%20%20%20%20%20%20description%0A%20%20%20%20%20%20%20%20%20%20createdAt%0A%20%20%20%20%20%20%20%20%20%20createdBy%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20%20%20email%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20updatedAt%0A%20%20%20%20%20%20%20%20%20%20updatedBy%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20%20%20email%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A).
<Collapser id="expressions-update" title="Update an obfuscation expression"
Use either of these options to update an obfuscation expression:
<DNT>**Using the logs UI:**</DNT>
1. Go to <DNT>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Logs**</DNT> and from the left nav, select <DNT>**Obfuscation**</DNT>.
2. Select the <DNT>**Expressions**</DNT> tab.
3. Click the ellipsis icon <DNT>**...**</DNT> at the right side of the obfuscation expression you want to edit, and click <DNT>**Edit**</DNT>.
4. Modify fields as needed, and click <DNT>**Update**</DNT>.
<DNT>**Using NerdGraph:**</DNT>
Use the `logConfigurationsUpdateObfuscationExpression` mutation under `logConfigurations`. Refer to the populated example in GraphiQL as well as the related documentation in [<DNT>**api.newrelic.com/graphiql**</DNT>](https://api.newrelic.com/graphiql?#query=mutation%20%7B%0A%20%20logConfigurationsUpdateObfuscationExpression%28accountId%3A%201234%2C%20expression%3A%20%7Bname%3A%20%22Credit%20Card%20Number%20-%20EDITED%22%2C%20regex%3A%20%22%28%5C%5Cd%7B4%7D-%5C%5Cd%7B4%7D-%5C%5Cd%7B4%7D-%5C%5Cd%7B4%7D%29%22%2C%20description%3A%20%22Reusable%20expression%20to%20capture%20credit%20card%20numbers%20-%20EDITED%22%2C%20id%3A%20%225678%22%7D%29%20%7B%0A%20%20%20%20id%0A%20%20%20%20name%0A%20%20%20%20regex%0A%20%20%20%20description%0A%20%20%20%20createdAt%0A%20%20%20%20createdBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%20%20updatedAt%0A%20%20%20%20updatedBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A).
<Callout variant="important">
You must escape regular expressions when using them in NerdGraph. For example: `((?:(?:4\\d{3})|(?:5[1-5]\\d{2})|6(?:011|5[0-9]{2}))(?:-?|\\040?)(?:\\d{4}(?:-?|\\040?)){3}|(?:3[4,7]\\d{2})(?:-?|\\040?)\\d{6}(?:-?|\\040?)\\d{5})`
</Callout>
You do not need to specify all the fields of an obfuscation expression when updating it, only the id (mandatory) and the fields that you wish to modify.
<Collapser id="expressions-delete" title="Delete an obfuscation expression"
<Callout variant="important">
You will not be able to delete an obfuscation expression if it is currently being used by an obfuscation rule.
</Callout>
Use either of these options to delete an obfuscation expression:
<DNT>**Using the logs UI:**</DNT>
1. Go to <DNT>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Logs**</DNT> and from the left nav, select <DNT>**Obfuscation**</DNT>.
2. Select the <DNT>**Expressions**</DNT> tab.
3. Click the ellipsis icon <DNT>**...**</DNT> at the right side of the obfuscation expression you want to delete, and click <DNT>**Delete**</DNT>.
4. Confirm you want to delete the expression by clicking <DNT>**Delete**</DNT>.
<DNT>**Using NerdGraph:**</DNT>
Use the `logConfigurationsDeleteObfuscationExpression` mutation under `logConfigurations`. Refer to the populated example in GraphiQL as well as the related documentation in [<DNT>**api.newrelic.com/graphiql**</DNT>](https://api.newrelic.com/graphiql?#query=mutation%20%7B%0A%20%20logConfigurationsDeleteObfuscationExpression%28accountId%3A%201234%2C%20id%3A%205678%29%20%7B%0A%20%20%20%20id%0A%20%20%20%20name%0A%20%20%20%20regex%0A%20%20%20%20description%0A%20%20%20%20createdAt%0A%20%20%20%20createdBy%20%7B%0A%20%20%20%20%20%20email%0A%20%20%20%20%20%20name%0A%20%20%20%20%7D%0A%20%20%20%20updatedAt%0A%20%20%20%20updatedBy%20%7B%0A%20%20%20%20%20%20email%0A%20%20%20%20%20%20name%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A).
The mutation will return a snapshot of the expression before being deleted.
Below, we've provided some sample regex expressions to obfuscate some of the most common sensitive data types. Obfuscation expressions must be created for each New Relic account where those expressions will be in use.
The following examples are regular expressions you could use in the UI. To use these in GraphQL, you'd need to escape them as shown in this [example](#expressions-create). **Expression:** ``` (\d{3}[-\s\.]?\d{2}[-\s\.]?\d{4}) ```<Collapser id="ccn" title="Credit card number"
<DNT>**Expression:**</DNT>
```
((?:(?:4\d{3})|(?:5[1-5]\d{2})|6(?:011|5[0-9]{2}))(?:-?|\040?)(?:\d{4}(?:-?|\040?)){3}|(?:3[4,7]\d{2})(?:-?|\040?)\d{6}(?:-?|\040?)\d{5})
```
<Collapser id="dob" title="US Date of birth"
<DNT>**Expression:**</DNT>
```
((?:\d{2})?\d\d(?:\\)?(?:\/)?\d\d(?:\\)?(?:\/)?\d{2}(?:\d{2})?)
```
<Collapser id="email" title="Email address"
<DNT>**Expression:**</DNT>
```
([a-zA-Z0-9!#$'*+?^_`{|}~.-]+(?:@|%40)(?:[a-zA-Z0-9-]+\.)+[a-zA-Z0-9-]+)
```
<Collapser id="ipv4" title="IP address (ipv4)"
<DNT>**Expression:**</DNT>
```
^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$
```
<Collapser id="usstreetaddress" title="US street address"
<DNT>**Expression:**</DNT>
```
/\d{1,}(\s{1}\w{1,})(\s{1}?\w{1,})/g
```
<Collapser id="usphone" title="US phone number"
<DNT>**Expression:**</DNT>
```
(^[\+]?[1]?[\W]?[(]?[0-9]{3}[)]?[-\s\.]?[0-9]{3}[-\s\.]?[0-9]{4})
```
<Collapser id="uspassport" title="US passport number"
<DNT>**Expression:**</DNT>
```
([a-zA-Z]?\d?\d{5,8})
```
<Collapser id="uknino" title="UK national insurance number (NINO)"
<DNT>**Expression:**</DNT>
```
([a-zA-Z]{2}[-\s]?\d{2}[-\s]?\d{2}[-\s]?\d{2}[-\s]?[a-dA-D])
```
<Collapser id="spainnid" title="Spain National ID (NIE/DNI/NIF)"
<DNT>**Expression:**</DNT>
```
([a-zA-Z]?[-\s]?\d{7,8}[-\s]?[a-zA-Z])
```
<Collapser id="indiapanid" title="India PAN ID"
<DNT>**Expression:**</DNT>
```
^([a-zA-Z]){5}([0-9]){4}([a-zA-Z]){1}?$
```
<Collapser id="indiaaadhaar" title="India AADHAAR ID"
<DNT>**Expression:**</DNT>
```
^([2-9]{1}[0-9]{3}\s\d{4}\s\d{4})$
```
<Collapser id="caphin" title="Canada personal health/social insurance number (PHIN/SIN)"
<DNT>**Expression:**</DNT>
```
(\d{3}[-\s\.]?\d{3}[-\s\.]?\d{3})
```
<Collapser id="cahcn" title="Canada health card number"
<DNT>**Expression:**</DNT>
```
(\d{10})
```
<Collapser id="japanid" title="Japan national identity number (My number)"
<DNT>**Expression:**</DNT>
```
(d{4}\sd{4}\sd{4}) ```
You can create, read, update, or delete obfuscation rules by using the New Relic UI or by using NerdGraph, our GraphQL Explorer.
Use either of these options to create an obfuscation rule:<DNT>**Using the logs UI:**</DNT>
1. Go to <DNT>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Logs**</DNT> and from the left nav, select <DNT>**Obfuscation**</DNT>.
2. Click <DNT>**Create obfuscation rule**</DNT>.
3. Enter a name for your new obfuscation rule, as well as a matching criteria (in NRQL format) to capture the target set of logs you want to obfuscate.
4. Add a new `actions` (the first one is added automatically) to specify the obfuscation expression (regex) to capture each set of attributes, as well as whether to `MASK` or `HASH` them.
* Multiple attributes can be specified comma-separated.
* `MASK` will replace all matching characters with `X`es. If you use `MASK`, you will not be able to query for a particular obfuscated value later.
* `HASH` will replace sensitive data with the SHA-256 hash value. If you use `HASH`, you will be able to query them using our hashing tool, provided you know its cleartext value.
Your rule should look something like this:
<img
title="Create an obfuscation rule using the logs UI"
alt="Create an obfuscation rule using the logs UI"
src={logsLogObfuscationCreateRule}
/>
5. Click <DNT>**Create rule**</DNT> to create and activate your obfuscation rule.
<DNT>**Using NerdGraph:**</DNT>
Use the `logConfigurationsCreateObfuscationRule` mutation under `logConfigurations`. Refer to the populated example in GraphiQL as well as the related documentation in [<DNT>**api.newrelic.com/graphiql**</DNT>](https://api.newrelic.com/graphiql?#query=mutation%20%7B%0A%20%20logConfigurationsCreateObfuscationRule%28accountId%3A%201234%2C%20rule%3A%20%7Bname%3A%20%22Obfuscate%20Login%20Service%20Logs%22%2C%20description%3A%20%22Removes%20PII%20from%20the%20Login%20Service%20Logs%20owned%20by%20the%20Sales%20department.%20Do%20not%20modify%20this%20rule%20without%20contacting%20the%20Sales%20team%20first.%22%2C%20filter%3A%20%22serviceName%20%3D%20%27loginService%27%20AND%20department%20%3D%20%27sales%27%22%2C%20enabled%3A%20true%2C%20actions%3A%20%5B%7Battributes%3A%20%5B%22message%22%2C%20%22creditCardNumber%22%5D%2C%20expressionId%3A%20%2212%22%2C%20method%3A%20HASH_SHA256%7D%2C%20%7Battributes%3A%20%5B%22message%22%5D%2C%20expressionId%3A%20%2234%22%2C%20method%3A%20MASK%7D%2C%20%7Battributes%3A%20%5B%22message%22%2C%20%22ssn%22%5D%2C%20expressionId%3A%20%2256%22%2C%20method%3A%20HASH_SHA256%7D%5D%7D%29%20%7B%0A%20%20%20%20id%0A%20%20%20%20name%0A%20%20%20%20description%0A%20%20%20%20filter%0A%20%20%20%20enabled%0A%20%20%20%20actions%20%7B%0A%20%20%20%20%20%20attributes%0A%20%20%20%20%20%20expression%20%7B%0A%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20method%0A%20%20%20%20%7D%0A%20%20%20%20createdAt%0A%20%20%20%20createdBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%20%20updatedAt%0A%20%20%20%20updatedBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A).
<Callout variant="important">
You must specify the obfuscation `expressionId` in order to link it to a given obfuscation action. To retrieve this id, you can [query the `obfuscationRules`](#rules-read).
</Callout>
<Collapser id="rules-read" title="Read an obfuscation rule"
Use either of these options to query an obfuscation rule:
<DNT>**Using the logs UI:**</DNT>
1. Go to <DNT>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Logs**</DNT> and from the left nav, select <DNT>**Obfuscation**</DNT>.
2. Select the <DNT>**Rules**</DNT> tab (default) to view all the available obfuscation rules and their definitions.
<DNT>**Using NerdGraph:**</DNT>
Use the `obfuscationRules` fetcher under `actor.account.logConfigurations`. Refer to the populated example in GraphiQL as well as the related documentation in [<DNT>**api.newrelic.com/graphiql**</DNT>](https://api.newrelic.com/graphiql?#query=%7B%0A%20%20actor%20%7B%0A%20%20%20%20account%28id%3A%201234%29%20%7B%0A%20%20%20%20%20%20logConfigurations%20%7B%0A%20%20%20%20%20%20%20%20obfuscationRules%20%7B%0A%20%20%20%20%20%20%20%20%20%20id%0A%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20description%0A%20%20%20%20%20%20%20%20%20%20filter%0A%20%20%20%20%20%20%20%20%20%20enabled%0A%20%20%20%20%20%20%20%20%20%20actions%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20attributes%0A%20%20%20%20%20%20%20%20%20%20%20%20expression%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20method%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20createdAt%0A%20%20%20%20%20%20%20%20%20%20createdBy%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20%20%20email%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20updatedAt%0A%20%20%20%20%20%20%20%20%20%20updatedBy%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%20%20%20%20%20%20email%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A)
<Collapser id="rules-update" title="Update an obfuscation rule"
Use either of these options to update an obfuscation rule:
<DNT>**Using the logs UI:**</DNT>
1. Go to <DNT>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Logs**</DNT> and from the left nav, select <DNT>**Obfuscation**</DNT>.
2. Select the <DNT>**Rules**</DNT> tab (default).
3. Click the ellipsis icon <DNT>**...**</DNT> at the right side of the obfuscation rule you want to edit, and click <DNT>**Edit**</DNT>.
4. Modify the fields as needed, and click <DNT>**Update rule**</DNT>.
<DNT>**Using NerdGraph:**</DNT>
Use the `logConfigurationsUpdateObfuscationRule` mutation under `logConfigurations`. Refer to the populated example in GraphiQL as well as the related documentation in [<DNT>**api.newrelic.com/graphiql**</DNT>](https://api.newrelic.com/graphiql?#query=mutation%20%7B%0A%20%20logConfigurationsUpdateObfuscationRule%28accountId%3A%201234%2C%20rule%3A%20%7Bid%3A%20%225678%22%2C%20name%3A%20%22EDITED%20-%20Obfuscate%20Login%20Service%20Logs%22%2C%20description%3A%20%22EDITED%20-%20Removes%20PII%20from%20the%20Login%20Service%20Logs%20owned%20by%20the%20Sales%20department.%20Do%20not%20modify%20this%20rule%20without%20contacting%20the%20Sales%20team%20first.%22%2C%20filter%3A%20%22serviceName%20%3D%20%27loginService%27%20AND%20department%20%3D%20%27sales%27%22%2C%20enabled%3A%20true%2C%20actions%3A%20%5B%7Battributes%3A%20%5B%22message%22%2C%20%22creditCardNumber%22%5D%2C%20expressionId%3A%20%2212%22%2C%20method%3A%20HASH_SHA256%7D%2C%20%7Battributes%3A%20%5B%22message%22%5D%2C%20expressionId%3A%20%2234%22%2C%20method%3A%20MASK%7D%2C%20%7Battributes%3A%20%5B%22message%22%2C%20%22ssn%22%5D%2C%20expressionId%3A%20%2256%22%2C%20method%3A%20HASH_SHA256%7D%5D%7D%29%20%7B%0A%20%20%20%20id%0A%20%20%20%20name%0A%20%20%20%20description%0A%20%20%20%20filter%0A%20%20%20%20enabled%0A%20%20%20%20actions%20%7B%0A%20%20%20%20%20%20attributes%0A%20%20%20%20%20%20expression%20%7B%0A%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20method%0A%20%20%20%20%7D%0A%20%20%20%20createdAt%0A%20%20%20%20createdBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%20%20updatedAt%0A%20%20%20%20updatedBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A).
<Callout variant="important">
You must specify the obfuscation `expressionId` in order to link it to a given obfuscation action. To retrieve this id, you can use the `obfuscationRules`, as described in [query the `obfuscationRules`]](#rules-read).
</Callout>
You do not need to specify all the fields of an obfuscation rule when updating it, only the `id` (mandatory) and the fields that you wish to modify. Here is an example to only [update the name](https://api.newrelic.com/graphiql?#query=mutation%20%7B%0A%20%20logConfigurationsUpdateObfuscationRule%28accountId%3A%201234%2C%20rule%3A%20%7Bid%3A%20%225678%22%2C%20name%3A%20%22EDITED%20-%20Obfuscate%20Login%20Service%20Logs%22%7D%29%20%7B%0A%20%20%20%20id%0A%20%20%20%20name%0A%20%20%20%20description%0A%20%20%20%20filter%0A%20%20%20%20enabled%0A%20%20%20%20actions%20%7B%0A%20%20%20%20%20%20attributes%0A%20%20%20%20%20%20expression%20%7B%0A%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20method%0A%20%20%20%20%7D%0A%20%20%20%20createdAt%0A%20%20%20%20createdBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%20%20updatedAt%0A%20%20%20%20updatedBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A).
<Collapser id="rules-delete" title="Delete an obfuscation rule"
Use either of these options to delete an obfuscation rule:
<DNT>**Using the logs UI:**</DNT>
1. Go to <DNT>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Logs**</DNT> and from the left nav, select <DNT>**Obfuscation**</DNT>.
2. Select the <DNT>**Rules**</DNT> tab (default).
3. Click the ellipsis icon <DNT>**...**</DNT> at the right side of the obfuscation rule you want to delete, and click <DNT>**Delete**</DNT>.
4. Confirm you want to delete the expression by clicking <DNT>**Delete**</DNT>.
<DNT>**Using NerdGraph:**</DNT>
Use the `logConfigurationsDeleteObfuscationRule` mutation under `logConfigurations`. Refer to the populated example in GraphiQL as well as the related documentation in [<DNT>**api.newrelic.com/graphiql**</DNT>](https://api.newrelic.com/graphiql?#query=mutation%20%7B%0A%20%20logConfigurationsDeleteObfuscationRule%28accountId%3A%201234%2C%20id%3A%205678%29%20%7B%0A%20%20%20%20id%0A%20%20%20%20name%0A%20%20%20%20description%0A%20%20%20%20filter%0A%20%20%20%20enabled%0A%20%20%20%20actions%20%7B%0A%20%20%20%20%20%20attributes%0A%20%20%20%20%20%20expression%20%7B%0A%20%20%20%20%20%20%20%20name%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20method%0A%20%20%20%20%7D%0A%20%20%20%20createdAt%0A%20%20%20%20createdBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%20%20updatedAt%0A%20%20%20%20updatedBy%20%7B%0A%20%20%20%20%20%20name%0A%20%20%20%20%20%20email%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A).
The mutation will return a snapshot of the rule before being deleted.