Monitoring your system : Logging : Configuring logging : Obscuring sensitive data in the logs
 
Obscuring sensitive data in the logs
You can configure the FortiWeb appliance to hide certain predefined data types, including user names and passwords, that could appear in the packet payloads accompanying a log message. You can also define and include your own sensitive data types, such as ages (relevant if you are required to comply with COPPA) or other identifying numbers, using regular expressions.
 
Sensitive data definitions are not retroactive. They will hide strings in subsequent log messages, but will not affect existing ones.
To exclude custom sensitive data from log packet payloads
1. Go to Log&Report > Log Config > Log Custom Sensitive Rule.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see “Permissions”.
2. On the top right side of the page, mark one or both of the following check boxes:
Enable Predefined Rules — Use the predefined credit card number and password data types. See “Predefined suspicious request URLs”.
Enable Custom Rules — Use your own regular expressions to define sensitive data. See “Grouping custom suspicious request URLs”.
3. Click Create New.
A dialog appears.
4. In Name, type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
5. Select either General Mask (a regular expression that will match any substring in the packet payload) or Field Mask (a regular expression that will match only the value of a specific form input).
In the field next to General Mask, type a regular expression that matches all the strings or numbers that you want to obscure in the packet payloads.
For example, to hide a parameter that contains the age of users under 14, you could enter:
age\=[1-13]
Valid expressions must not start with an asterisk ( * ). The maximum length is 255 characters.
For Field Mask, in the left-hand field (Field Name), type a regular expression that matches all and only the input names whose values you want to obscure. (The input name itself will not be obscured. If you wish to do this, use General Mask instead.) Then, in the right hand field (Field Value), type a regular expression that matches all input values that you want to obscure. Valid expressions must not start with an asterisk ( * ). The maximum length is 255 characters.
For example, to hide a parameter that contains the age of users under 14, for Field Name, you would enter age, and for Field Value, you could enter [1-13].
 
Field masks using asterisks are greedy: a match for the parameter’s value will obscure it, but will also obscure the rest of the parameters in the line. To avoid this, enter an expression whose match terminates with, but does not consume, the parameter separator.

For example, if parameters are separated with an ampersand ( & ), and you want to obscure the value of the Field Name username but not any of the parameters that follow it, you could enter the Field Value:

.*?(?=\&)

This would result in:

username****&age=13&origurl=%2Flogin
 
To test a regular expression, click the >> (test) button. This opens the Regular Expression Validator window where you can fine-tune the expression (see “Regular expression syntax”)
6. Click OK.
The expression appears in the list of regular expressions that define sensitive data that will be obscured in the logs.
When viewing new log messages, data types matching your expression are replaced with a string of asterisks.