config : log custom-sensitive-rule
 
log custom-sensitive-rule
Use this command to configure custom rules to obscure sensitive information that is not obscured in log message packet payloads by the predefined sensitivity rules.
Use this command in conjunction with “config log sensitive”.
If enabled to do so, a FortiWeb appliance will obscure predefined data types, including user names and passwords in log message packet payloads. If other sensitive data in the packet payload is not obscured by the predefined data types, you can create your own data type sensitivity rules, such as ages or other identifying numbers.
 
Sensitive data definitions are not retroactive. They will hide strings in subsequent log messages, but will not affect existing log messages.
This command is relevant only if you have enabled the FortiWeb appliance to keep packet payloads along with their associated log messages, and have selected to obscure logs according to custom data types. For details, see “config log attack-log” and “config log sensitive”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For more information, see “Permissions”.
Syntax
config log custom-sensitive-rule
edit <custom-sensitive-rule_name>
set expression "<sensitive-type_pattern>
set field-name "<parameter-name_pattern>"
set field-value "<parameter-value_pattern>"
set type {field‑mask‑rule | general‑mask-rule}
next
end
Variable
Description
Default
<custom-sensitive-rule_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing rules, type:
edit ?
No default.
expression "<sensitive-type_pattern>
Type a regular expression that matches all and only the strings or numbers that you want to obscure in the packet payloads.
For example, to hide a parameter that contains the age of users under 13, you could enter:
age\=[1-13]
Expressions must not start with an asterisk ( * ). The maximum length is 255 characters.
No default.
type {field‑mask‑rule | general‑mask-rule}
Select either general-mask-rule (a regular expression that will match any substring in the packet payload) or field-mask-rule (a regular expression that will match only the value of a specific form input).
If you select general‑mask-rule, configure expression "<sensitive-type_pattern>.
If you select field-mask-rule, configure field-name "<parameter-name_pattern>" and field-value "<parameter-value_pattern>".
general-mask-rule
field-name "<parameter-name_pattern>"
Type a regular expression that matches all and only the input names whose values you want to obscure. (The input name itself will not be obscured. If you wish to do this, use general-mask-rule instead.) The maximum length is 255 characters.
No default.
field-value "<parameter-value_pattern>"
Type a regular expression that matches all and only the input values that you want to obscure. The maximum length is 255 characters.
For example, to hide a parameter that contains the age of users under 13, for field-name "<parameter-name_pattern>", you would enter age, and for field-value "<parameter-value_pattern>", you could enter [1-13].
Valid expressions must not start with an asterisk ( * ).
Caution: Field masks using asterisks are greedy: a match for the parameter’s value will obscure it, but will also obscure the rest of the parameters in the line. To avoid this, enter an expression whose match terminates with, but does not consume, the parameter separator.
For example, if parameters are separated with an ampersand ( & ), and you want to obscure the value of the field name username but not any of the parameters that follow it, you could enter the field value:
.*?(?=\&)
This would result in:
username****&age=13&origurl=%2Flogin
No default.
Example
This example enables the FortiWeb appliance to keep all types of packet payloads with their associated log messages. It also enables and defines a custom sensitive data type (applies to age 13 or less) that will be obscured in logs.
config log attack-log
set status enable
set packet-log anti-virus-detection cookie-poison custom-access custom-protection-rule hidden-fields-failed http-protocol-constraints illegal-file-type illegal-xml-format ip-intelligence padding-oracle parameter-rule-failed signature-detection
end
config log sensitive
set type custom-rule
end
config log custom-sensitive-rule
edit rule1
set type general-mask-rule
set expression "age\\=[1-13]*$"
next
end
Related topics
config log sensitive
config log attack-log
config log traffic-log