Oracle Cloud Infrastructure Documentation

Filter Logs by Hash Mask

You can use md5 function in your queries or with where and eval commands to filter the log data that has the hash masked data.

Typically, when you create a log source and define hash masks to mask specific fields, then the resultant log data will have the hash of the fields that you can use for filtering. To extract those log records that contain the hash masked information of the fields, use the md5 function in your queries or with where and eval commands.

For example, consider the following log data:

Jul 1,2018 23:43:23 severe jack User logged in
Jul 2,2018 02:43:12 warning jack User logged out
Jul 2,2018 05:23:43 info jane User logged in

When the user name information is hash masked, then the log records will be as follows:

Jul 1,2018 23:43:23 severe 241fcf33eaa2ea61285f36559116cbad User logged in
Jul 2,2018 02:43:12 warning 241fcf33eaa2ea61285f36559116cbad User logged out
Jul 2,2018 05:23:43 info 8fb2f1187c72aab28236d54f0193a203 User logged in

The users jack and jane will have the following hash values: 

241fcf33eaa2ea61285f36559116cbad
8fb2f1187c72aab28236d54f0193a203
  • Use md5 function in your search query: Specify the query * | search md5(jack) to filter the hash masked records corresponding to the user jack.
  • Use the hash with where and eval commands: To extract the log records corresponding to the user jack, you can use the hash of the user name in the search string * | where user = "241fcf33eaa2ea61285f36559116cbad".
  • Use md5 function with where and eval commands: You can avoid using the hash for the specific user name, and instead, specify the hash mask used. For example, to extract the log records corresponding to the user jack, you can provide the search string * | where user = md5("jack") .

    This enables you to search when you know the possible values you are searching for. It's not possible to reverse the hash string back into a readable string. You can only perform the search if you happen to know what value you are looking for that you know was hashed.

    Similar to md5, you can use other hash functions such as sha1, sha256, and sha512 for hash masking.