Masking and Removing Personally Identifiable Information (PII) in Applications Logs on Avi Vantage

Overview

Avi Vantage collects different types of logs for troubleshooting various performance or outage issues, end-user experience, and success of any application. Avi Controller collects HTTP request header and response header information while establishing connections between the incoming client requests and the back-end servers. Starting with the release 17.2.10, Avi Vantage supports removing or masking Personally Identifiable Information (PII) in HTTP request headers and response header fields in application logs. The actual value of the required HTTP header field can be removed or masked to X. HTTP request header is masked in the following type of requests:

  • HTTP header received from the client.
  • HTTP header sent to the back-end server.

The following type of requests are considered as HTTP response header on Avi Vantage:

  • Responses coming from the back-end server
  • Response header sent to the client

Note: Any of the HTTP headers in the application logs on Avi Vantage can be masked or removed. The feature is not just only limited to masking off the header, but also both the header name and their corresponding value from the application logs can be removed too.

Use case

Exposure of user-related sensitive information, for example, HTTP cookie, authorization information , e.t.c is avoided. Any security threat that may happen because of the exposed user or server-related information is avoided too.

Hiding PII in Information Logs using Avi CLI

Based on the requirement, any of the HTTP request headers and response headers can be masked or removed in the virtual service logs on Avi Vantage.

In the configuration snippet mentioned below, HTTP headers are selected by using the match_str: "HTTP-Header-name" command and their corresponding actions (to mask the original value ) are set by using the LOG_FIELD_MASKOFF command in the analytics profile configuration of a virtual service:

Refer to the following configuration snippet for reference:


analyticsprofile_object {
   uuid: "l7-analytics-profile-3"
   name: "l7-analytics-profile-3"
   tenant_uuid: "admin"
   sensitive_log_profile {
      header_field_rules {
         index: 1
         name: "hdr_rule_1"
         enabled: true
         match {
            match_criteria: EQUALS
            string_group_uuids: "stringgroup-2"
         }
         action: LOG_FIELD_MASKOFF
     }
     header_field_rules {
         index: 2
         name: "hdr_rule_2"
         enabled: true
         match {
            match_criteria: CONTAINS
            match_str: "X-Forwarded-For"
         }
         action: LOG_FIELD_MASKOFF
     }
   }
}

stringgroup_object {
   uuid: "stringgroup-2"
   name: "stringgroup-2"
   kv {
      key: "Authorization"
   }
   kv {
      key: "Cookie"
   }
   kv {
      key: "Set-Cookie"
   }
   tenant_uuid: "admin"
}

Changes in HTTP request and HTTP response header:

The following screenshots exhibit the masked value of various HTTP headers in the logs on Avi Vantage.

Changes in HTTP request header

Details of an HTTP request header before the change in the analytic profile:

request-header

Details of an HTTP request header after the change in the analytic profile:

request-header-after-the-change

In the example mentioned above, the value for the following HTTP request headers are masked to X:

  • X-Forwarded-For
  • Authorization HTTP header
  • Cookie field

Changes in HTTP response header

Details of an HTTP response header in the application logs before the change in the analytic profile:

response-header

Details of an HTTP response header in the application logs after the change in the analytic profile:

response-header-after-the-change

In the example mentioned above, the value for the HTTP response header, Set-Cookie is masked to X in the application logs.

Hiding PII in Information Logs using Avi UI

Starting with Avi Vantage release 18.1.4, Sensitive Log Profile option is available on Avi UI. This feature is used to hide sensitive information in the application logs for the selected virtual service.

Note: Regular expressions (Regex) are not supported for rules used for Sensitive Log Profile.

Following are the steps to add a new sensitive log profile or edit the existing profile.

  1. Navigate to Applications > Virtual Services, select the desired virtual service, and click on the edit icon.

    edit-vs

  2. Navigate to the Analytics tab, click on the edit option for Analytic Profile as shown below. edit-profile

  3. Scroll down to the Sensitive Log Information section to add a new rule or edit the existing rules for capturing logs for the selected virtual service.

    sensitive-log-profile

  4. To add a new rule, click on the create option (the plus sign).

    add-rule

    To edit the existing rule, click on the edit option as shown below.

    edit-log-profile

  5. Provide the desired name, matching rule, and the desired action for the match.

    log-profile

  6. For Enable Action, the following actions are available:

    • Remove the matched fields from the logs
    • Mask the matched fields from the logs

      action