- Observability: other versions:
- What is Elastic Observability?
- What’s new in 8.12
- Get started
- Observability AI Assistant
- Application performance monitoring (APM)
- Self manage APM Server
- Data Model
- Features
- How-to guides
- OpenTelemetry integration
- Manage storage
- Configure
- Advanced setup
- Secure communication
- Monitor
- Troubleshoot
- Upgrade
- Release notes
- Known issues
- Logs
- Infrastructure monitoring
- AWS monitoring
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure projects
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Use Synthetics with traffic filters
- Migrate from the Elastic Synthetics integration
- Scale and architect a deployment
- Synthetics support matrix
- Synthetics Encryption and Security
- Troubleshooting
- Uptime monitoring
- Real user monitoring
- Universal Profiling
- Alerting
- Service-level objectives (SLOs)
- Cases
- CI/CD observability
- Troubleshooting
- Fields reference
- Tutorials
- Monitor Amazon Web Services (AWS) with Elastic Agent
- Monitor Amazon Web Services (AWS) with Beats
- Monitor Google Cloud Platform
- Monitor a Java application
- Monitor Kubernetes
- Monitor Microsoft Azure with Elastic Agent
- Monitor Microsoft Azure with the Azure Native ISV Service
- Monitor Microsoft Azure with Beats
Custom filters
editCustom filters
editCustom filters allow you to filter or redact other types of APM data on ingestion:
Applied at ingestion time. All agents and fields are supported. Data leaves the instrumented service. There are no performance overhead implications on the instrumented service. |
Not supported by all agents. Data is sanitized before leaving the instrumented service. Potential overhead implications on the instrumented service |
Create an ingest pipeline filter
editIngest node pipelines specify a series of processors that transform data in a specific way. Transformation happens prior to indexing—inflicting no performance overhead on the monitored application. Pipelines are a flexible and easy way to filter or obfuscate Elastic APM data.
Tutorial: redact sensitive information
editSay you decide to capture HTTP request bodies
but quickly notice that sensitive information is being collected in the
{ "email": "test@abc.com", "password": "hunter2" }
Create a pipeline
To obfuscate the passwords stored in the request body, you can use a series of ingest processors. To start, create a pipeline with a simple description and an empty array of processors:
Add a JSON processor
Add your first processor to the processors array. Because the agent captures the request body as a string, use the JSON processor to convert the original field value into a structured JSON object. Save this JSON object in a new field:
{ "json": { "field": "http.request.body.original", "target_field": "http.request.body.original_json", "ignore_failure": true } }
Add a set processor
If body.original_json
is not null
, i.e., it exists, we’ll redact the password
with the set processor,
by setting the value of body.original_json.password
to "redacted"
{ "set": { "field": "http.request.body.original_json.password", "value": "redacted", "if": "ctx?.http?.request?.body?.original_json != null" } }
Add a convert processor
Use the convert processor to convert the JSON value of body.original_json
to a string and set it as the body.original
{ "convert": { "field": "http.request.body.original_json", "target_field": "http.request.body.original", "type": "string", "if": "ctx?.http?.request?.body?.original_json != null", "ignore_failure": true } }
Add a remove processor
Finally, use the remove processor to remove the body.original_json
{ "remove": { "field": "http.request.body.original", "if": "ctx?.http?.request?.body?.original_json != null", "ignore_failure": true } }
Register the pipeline
Now we’ll put it all together.
Use the create or update pipeline API to register the new pipeline in Elasticsearch.
Name the pipeline apm_redacted_body_password
PUT _ingest/pipeline/apm_redacted_body_password { "description": "redact http.request.body.original.password", "processors": [ { "json": { "field": "http.request.body.original", "target_field": "http.request.body.original_json", "ignore_failure": true } }, { "set": { "field": "http.request.body.original_json.password", "value": "redacted", "if": "ctx?.http?.request?.body?.original_json != null" } }, { "convert": { "field": "http.request.body.original_json", "target_field": "http.request.body.original", "type": "string", "if": "ctx?.http?.request?.body?.original_json != null", "ignore_failure": true } }, { "remove": { "field": "http.request.body.original_json", "if": "ctx?.http?.request?.body?.original_json != null", "ignore_failure": true } } ] }
Test the pipeline
Prior to enabling this new pipeline, you can test it with the simulate pipeline API. This API allows you to run multiple documents through a pipeline to ensure it is working correctly.
The request below simulates running three different documents through the pipeline:
POST _ingest/pipeline/apm_redacted_body_password/_simulate { "docs": [ { "_source": { "http": { "request": { "body": { "original": """{"email": "test@abc.com", "password": "hunter2"}""" } } } } }, { "_source": { "some-other-field": true } }, { "_source": { "http": { "request": { "body": { "original": """["invalid json" """ } } } } } ] }
This document features the same sensitive data from the original example above |
This document only contains an unrelated field |
This document contains invalid JSON |
The API response should be similar to this:
{ "docs" : [ { "doc" : { "_source" : { "http" : { "request" : { "body" : { "original" : { "password" : "redacted", "email" : "test@abc.com" } } } } } } }, { "doc" : { "_source" : { "nobody" : true } } }, { "doc" : { "_source" : { "http" : { "request" : { "body" : { "original" : """["invalid json" """ } } } } } } ] }
As expected, only the first simulated document has a redacted password field. All other documents are unaffected.
Create an @custom
The final step in this process is to call the newly created apm_redacted_body_password
from the @custom
pipeline of the data stream you wish to edit.
pipelines are specific to each data stream and follow a similar naming convention: <type>-<dataset>@custom
As a reminder, the default APM data streams are:
Application traces:
RUM and iOS agent application traces:
APM internal metrics:
APM transaction metrics:
APM service destination metrics:
APM service transaction metrics:
APM service summary metrics:
Application metrics:
APM error/exception logging:
APM app logging:
To match a custom ingest pipeline with a data stream, follow the <type>-<dataset>@custom
or replace -namespace
with @custom
in the table above.
For example, to target application traces, you’d create a pipeline named traces-apm@custom
Use the create or update pipeline API to register the new pipeline in Elasticsearch.
Name the pipeline traces-apm@custom
PUT _ingest/pipeline/traces-apm@custom { "processors": [ { "pipeline": { "name": "apm_redacted_body_password" } } ] }
If you prefer using a GUI, you can instead open Kibana and navigate to Stack Management → Ingest Pipelines → Create pipeline. Use the same naming convention explained previously to ensure your new pipeline matches the correct APM data stream.
That’s it! Passwords will now be redacted from your APM HTTP body data.
To learn more about ingest pipelines, see View the Elasticsearch index template.
APM agent filters
editSome APM agents offer a way to manipulate or drop APM events before they are sent to the APM Server. Please see the relevant agent’s documentation for more information and examples:
- .NET: Filter API.
. - Python: custom processors.