You can minimize the risk of exposing sensitive customer data such as credit card data or personally identifiable information (PII) by configuring automatic redaction of fields or patterns in log messages. This data masking, which happens after logs are ingested but before logs are indexed and stored, offers an extra layer of protection. 

The data masking feature does the following:

  • Retrieves masking rules from the configuration store based on Tenant. 
  • For each masking rule it retrieves, if the rule is applicable to an incoming log message based on the matching criteria you specified, it tries to match the expression in that rule to a string in the log message. If there's a match, it replaces the matched string with the value you specified in the rule.
  • Stores log messages with masked data in the backend log data store.
  • Stores patterns and masking rules in the configuration store.

The data masking feature does not:

  • Mask data in anything other than log messages.
  • Mask data retroactively.


You must be logged into the Cisco Cloud Observability interface with the role of Configuration Manager in order to configure data masking. Other roles can view data masking rules or expressions but cannot configure them.

Create a Masking Expression

  1. Click Configure > Data Security

  2. Select the Masking Expressions tab.

  3. Click + Create masking expression or select from the predefined masking expressions for SSN or credit card number.

    The sample (preloaded) masking expressions are the ones of type Default on the Masking Expressions tab. 


  4. Enter information on the Create Masking Expression form: 

    1. Set Expression name to the name you want to give this expression. You can use alphanumeric characters and underscores.

    2. Set Regex for matching data to a regular expression. Don't use quotes. For example, ^[a-zA-Z0-9]+[a-zA-Z0-9_-]{0,128}[a-zA-Z0-9]$

    3. Set Data sensitivity to the severity of the data you're masking (in other words, how critical it is to mask the data). Valid values: Low, Medium, High, Critical.

    4. Click Save.

Create a Masking Rule

  1. Click Configure > Data Security

  2. Click + Create masking rule.

  3. Enter information on the Create Masking Rule form: 
    1. Set Masking rule name to the name you want to give this rule. You can use alphanumeric characters and underscores.
    2. In Rule scope, select a log attribute from the Rule scope pull-down menu. To find the attribute you want, start typing into the pull-down menu. After you select an attribute, select an operator and type the value which this attribute must match in order to trigger this data masking rule. Create separate rules for each value of Rule scope.
      For examples of rule scope, see Log Collector Settings for simplified YAML or Log Collector Settings - Advanced YAML Layout for advanced YAML.
    3. On the Masking expressions pull-down menu, select one or more masking expressions. You can also create new expressions by clicking Create new.
    4. In the Replace sensitive data with pull-down menu, select the value to replace matching data with. Use the pull-down menu to select a single character, X, or to specify your own string.

    5. Click Save.

Enable or Disable a Masking Rule

Click the slider in a rule's Monitoring Status column to enable or disable it. Data masking rules only apply to new, incoming logs. Existing logs are not masked retroactively.

Edit a Masking Rule

  1. Click Configure > Data Security

  2. Select the Masking Rules tab.

  3. Click the three vertical dots on right side of the rule you want to edit, and select Edit. If there is no Edit option, it means this rule is in an old format and cannot be edited. 

Migrate Old Rules to the New Format

In the 23.10 release we changed the way you specify the scope of a data masking rule. Previously, you specified the scope as the value of the logFormat parameter in your simplified collectors-values.yaml (appd.log.format in your advanced collectors-values.yaml). This method has been deprecated. Now, you specify rule scope by selecting a log attribute from the Rule scope pull-down menu, and specifying a value for that attribute. Masking rules that you created with the logFormat parameter still work, but are no longer editable. Best practice is to delete your existing data masking rules and recreate them using the Rule scope menu.