DATA MASKING IN WAZUH

36 views
Skip to first unread message

m mun

unread,
Mar 1, 2026, 2:09:56 PM (3 days ago) Mar 1
to Wazuh | Mailing List
Hi Wazuh community,

I would like to ask for opinion in data masking for logs inside Wazuh. currently i have applied the masking for the specific field, however it is not sufficient since the value of sensitive data still visible in full logs. Appreciate any advice from anyone with data masking experience especially in Wazuh.

Nikhil Gurjar

unread,
Mar 1, 2026, 10:19:02 PM (3 days ago) Mar 1
to Wazuh | Mailing List
Hi Team,

Could you please clarify the masking configuration? Specifically, have you configured the pipeline setting in Filebeat on the Wazuh manager side, or is it configured on the endpoint side?

If you have already configured masking for specific values and do not want the full logs to be displayed for those alerts, you can add the following option inside your rule: <options>no_full_log</options>

If the rule you are modifying is a default rule, you can override it by using the overwrite="yes" attribute. For example (reference: Wazuh rules XML syntax documentation):

<rule id="87100" level="0" overwrite="yes">
<decoded_as>json</decoded_as>
<field name="integration">virustotal</field>
<description>VirusTotal integration messages.</description>
<options>no_full_log</options>
</rule>

This will prevent the full log from being displayed in the alert while still allowing the rule to trigger.

Looking forward to your update.


Best regards,
Nikhil

Nikhil Gurjar

unread,
Mar 2, 2026, 2:34:23 AM (3 days ago) Mar 2
to Wazuh | Mailing List
Hi Team,

Yes, your understanding is correct. If the  <options>no_full_log</options>   configuration is applied, it only affects the wazuh-alerts-* indices. If you enable the wazuh-archives-* indices, this option will not prevent the full_log field from being stored there.

However, your requirement to hide this field can still be achieved by updating the pipeline configuration. Please follow the steps below:

1. Navigate to the archives pipeline configuration file and take a backup of the existing configuration before making any changes.

cd /usr/share/filebeat/module/wazuh/archives/ingest
cp pipeline.json pipeline.json.20260302.bkup

2. Open the file in edit mode and insert the configuration below under the processors array, and update the value of the   <YOUR_RULE_ID>  placeholder.

nano pipeline.json

,{  "remove": {
              "field": "full_log",
              "if": "ctx?.rule?.id == '<YOUR_RULE_ID>'",
              "ignore_missing": true,
              "ignore_failure": true
              }
     }

3. Save the changes and update the pipeline via the command below, and make sure it will successfully load:
filebeat setup --pipelines --modules wazuh.
Screenshot_604.png

4. Now for the `wazuh-archives` index, when this rule ID is triggered, the full log field will no longer exist.
Screenshot_604.png

Hope this information is helpful for you. Please let us know if you have any other queries here.

Best regards,
Nikhil
Reply all
Reply to author
Forward
0 new messages