Masking
Overview
This Masking processor detects and masks the sensitive data.
Supported types: Logs · Metrics · Traces
Basic Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
| allow_all_keys | bool | true | When enabled, all attribute keys are retained and the allowed_keys restriction is ignored. Masking rules defined in blocked_values are still applied. |
| hash_function | string | Censor with Asterisks | Masks sensitive data based on the specified algorithm. supported values : Hash (MD5) Hash (SHA-1) Hash (SHA-3) |
Masking Rule Presets
The following presets are supported by default. Enable them to mask the corresponding data.
- PAN
- Credit Card Numbers
- SSN
- Email Address
- Date of Birth
- International Bank Account Number (IBAN)
- IPv4 Address
- IPv6 Address
- MAC Address
- US Phone Numbers
- International Phone Numbers
- US City, State
- US Zip Code
- UUID
- AWS Access Key
- AWS Secret Access Key
Value Masking
Configure rules to control how keys and values are masked during processing.
| Parameter | Type | Description |
|---|---|---|
| blocked_key_patterns | array[string] | Regular expression patterns for keys whose values should always be masked. |
| blocked_values | array[string] | Regular expression patterns for values that should be masked when detected. |
| ignored_keys | array[string] | Keys that are allowed to pass through the processor without masking. Values for these keys will remain unchanged. |
| allowed_values | array[string] | Regular expression patterns for values that should never be masked, even if they match other masking rules. |
Note:
- Ignored attributes are processed first so they're always allowed and never blocked. This field (
Ignored Keys) should only be used where you know the data is always safe to send to the telemetry system.- When both
allowed_valuesandblocked_valuesare configured,allowed_valuestakes precedence.
Advanced Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
| summary | string | None | Controls whether masking summary information is added to the processed data as attributes. |
| allowed_keys | array[string] | none | A list of attribute keys that are allowed to pass through the processor without masking. If allow_all_keys is enabled, this list is ignored and all attribute keys are retained. |
| mask_all_types | bool | true | When enabled, masking rules are also applied to non-string attribute values such as numbers or boolean fields. |
Mask Summary Options
- None – No masking summary attributes are added.
- Masked Field Counts – Adds the number of masked fields as an attribute.
- Masked Field Counts and Names – Adds both the count and the names of masked fields as attributes.
Example Configuration
{
"allow_all_keys": true, // default: true
"hash_function": "", // default: ""
"pan": false, // default: false
"credit_card": false, // default: false
"ssn": false, // default: false
"email": false, // default: false
"date_of_birth": false, // default: false
"iban": false, // default: false
"ipv4": false, // default: false
"ipv6": false, // default: false
"mac_address": false, // default: false
"us_phone_number": false, // default: false
"international_phone_number": false, // default: false
"us_city_state": false, // default: false
"us_zip_code": false, // default: false
"uuid": false, // default: false
"aws_access_key": false, // default: false
"aws_secret_access_key": false, // default: false
"blocked_key_patterns": [], // default: none
"blocked_values": [], // default: none
"ignored_keys": [], // default: none
"allowed_values": [], // default: none
"summary": "none", // default: "none"
"allowed_keys": [], // default: none
"mask_all_types": true, // default: true
}