Masker Logger - Secure Your Logs by Masking Sensitive Data

Masker Logger - Secure Your Logs by Masking Sensitive Data

Masker Logger is a powerful tool designed to enhance the security of your logs by masking sensitive data. This ensures that secrets, passwords, or other sensitive information do not accidentally leak into log files or outputs.

Below is a comprehensive guide to help you get started with Masker Logger.

Why Use Masker Logger?

When logging information, it's common to include sensitive data inadvertently. Masker Logger ensures that such data is automatically masked with asterisks (******), preventing accidental exposure. For example:

logger.info(f'Don't Give Your {secrets} away')

With Masker Logger, this will be logged as:

Don't Give Your ****** away

Installation

To install Masker Logger, use the following command:

pip install maskerlogger

Getting Started

Masker Logger works by utilizing the logging.Formatter module. It masks sensitive data in log messages before they are written to any destination (e.g., files, stdout).

Basic Usage

Here’s how to set up Masker Logger in your Python application:

from maskerlogger import MaskerFormatter

import logging

# Initialize logger

logger = logging.getLogger('logger')

logger.setLevel(logging.DEBUG)

# Set up handler with MaskerFormatter

handler = logging.StreamHandler()

handler.setFormatter(

    MaskerFormatter("%(asctime)s %(name)s %(levelname)s %(message)s")

)

logger.addHandler(handler)

# Example log message

secrets = "password123"

logger.info(f"Don't Give Your {secrets} away")

Output:

2023-10-01 12:00:00 logger INFO Don't Give Your ****** away

Advanced Features

1. Skipping Masking

If you want to skip masking for specific log lines, you can use the SKIP_MASK mechanism:

from maskerlogger import MaskerFormatter, SKIP_MASK

# Log a message without masking

logger.info('This line will not be masked', extra=SKIP_MASK)

Output:

This line will not be masked

2. Partial Masking of Secrets

By default, secrets are fully masked. However, you can choose to mask only a portion of the secret using the redact parameter. This allows you to control how much of the sensitive data is visible.

Example:

handler.setFormatter(

    MaskerFormatter("%(asctime)s %(name)s %(levelname)s %(message)s", redact=30)

)

In this example, 30% of the secret will be masked. Adjust the redact value as needed (e.g., 50 for 50% masking).

3. Custom Configuration for Sensitive Data Detection

Masker Logger leverages the Gitleaks tool for detecting sensitive data patterns. By default, it uses Gitleaks' standard configuration. You can also provide your own custom configuration file.

Using a Custom Config File:

To use your own regex configuration file for masking:

handler.setFormatter(

    MaskerFormatter("%(asctime)s %(name)s %(levelname)s %(message)s",

                    regex_config_path="your/config/gitleaks.toml")

)

This allows you to define custom patterns for identifying and masking sensitive data.

Best Practices

  • Always use Masker Logger in environments where logs may contain sensitive information.

  • Regularly review and update your regex configuration file to ensure it covers all potential sensitive data patterns.

  • Use partial masking (redact) when you need some visibility into the secret (e.g., debugging purposes).

  • Use SKIP_MASK sparingly and only when absolutely necessary.

With these features and configurations, Masker Logger provides a robust solution for securing your logs and preventing data leaks. Start integrating it into your projects today. You can learn more and Download Masker Logger in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

 

Back to blog