I've been scouring through the rsyslog documentation for a way to anonymize mysql log data by removed quoted strings. I've successfully managed to detect strings with sensitive data using the :contains property but I can't seem to find a way to replace.
I've looked through the property options and the regex functionality. I believe I may be missing something because none of those provide a straight way for find and replace.
AFAIK, there's no way currently to do regex replace in rsyslog. The cleanest way (I see) for achieving what you need is to parse your logs with mmnormalize (more documentation can be found at liblognorm, which is the library mmnormalize uses). Then, you can access all the parsed properties, and put whatever you want in templates. Templates let you select what properties from the messages get written in MySQL.
The benefit of this solution is that mmnormalize should be faster than using regular expressions. The problem is that you'll probably need a new version of rsyslog (probably 8.x) to get it working properly.
