Processing rule edits

Author: kimsauce

docs/send-data/opentelemetry-collector/remote-management/processing-rules/include-and-exclude-rules.md

@@ -5,25 +5,19 @@ sidebar_label: Include and Exclude Rules
 description: Use include and exclude processing rules to specify what kind of data is sent to Sumo Logic using OpenTelemetry Collector.
 ---
 
-<head>
-  <meta name="robots" content="noindex" />
-</head>
-
-<p><a href="/docs/beta"><span className="beta">Beta</span></a></p>
-
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-You can use include and exclude processing rules to specify what data is sent to Sumo Logic using OpenTelemetry Collector. Internally these will use [filter processor](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/filterprocessor) to get the data filtered.
+You can use include and exclude processing rules to define which data is sent to Sumo Logic using the OpenTelemetry Collector. These rules internally utilize the [filter processor](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/filterprocessor)  to filter the data.
 
-* An exclude rule functions as a denylist filter where the matching data is not sent to Sumo Logic.
-* An include rule functions as an allowlist filter where only matching data is sent to Sumo Logic.
+* An exclude rule functions as a denylist filter, ensuring that matching data is not sent to Sumo Logic.
+* An include rule functions as an allowlist filter, ensuring that only matching data is sent to Sumo Logic.
 
-As a best practice, specify these rules to match the lesser volume of data.
+As a best practice, configure these rules to filter the smaller volume of data for optimal performance:
 
-* If you want to **collect the majority of data** from a source template, provide **exclude** rules to match (filter out) the lesser volume of data.
-* If you want to **collect a small set of data** from a source template, provide **include** rules to match (filter in) the lesser volume of data.
+* If you want to **collect the majority of data** from a source template, use **exclude** rules to match (filter out) the lesser volume of data.
+* If you want to **collect a small set of data** from a source template, use **include** rules to match (filter in) the lesser volume of data.
 
-For example, to include only messages coming from a Windows Event log with ID `8015`, you can add a Logs Filter to the source template and select the **Type** of the filter as "Include message that match", and can use the following filter regular expression:
+For example, to include only messages from a Windows Event log with ID `8015`, you can add a Logs Filter to the source template. Select the **Type** of the filter as "Include messages that match" and use the following filter regular expression:
 
 ```
 .*"id":8015.*
@@ -33,10 +27,10 @@ For example, to include only messages coming from a Windows Event log with ID `8
 
 ## Rules and limitations
 
-When writing regular expression rules, you must follow these rules:
+When creating regular expression rules, adhere to the following guidelines:
 
-* Your rule must be [RE2 compliant](https://github.com/google/re2/wiki/Syntax).
-* If your rule matches *only a section* of the log line, the full log line will be matched.
-* For *single line messages*, it is not mandatory to prefix and suffix the regex expression with `.\*`.
-* Exclude rules take priority over include rules. Include rules are processed first. However, if an exclude rule matches data that matched the include rule filter, the data is excluded.
-* If two or more rules are listed, the assumed Boolean operator is `OR`.
+- Your rule must comply with [RE2 syntax](https://github.com/google/re2/wiki/Syntax).  
+- If your rule matches *any part* of a log line, the entire log line will be matched.  
+- For *single-line messages*, it is not necessary to prefix or suffix the regex with `.*`.  
+- *Exclude rules* take precedence over *include rules*. Include rules are processed first, but if an exclude rule matches data that also matches the include rule, the data will be excluded.  
+- When multiple rules are listed, the assumed Boolean operator is `OR`.

docs/send-data/opentelemetry-collector/remote-management/processing-rules/mask-rules-windows.md

@@ -1,32 +1,37 @@
 ---
 id: mask-rules-windows
 title: Mask Rules for the Windows Source Template
-sidebar_label: Mask Rules for Windows
+sidebar_label: Mask Rules - Windows Source Template
 description: Create a mask rule to replace an expression with a mask string.
 ---
-<head>
-  <meta name="robots" content="noindex" />
-</head>
-
-<p><a href="/docs/beta"><span className="beta">Beta</span></a></p>
 
 :::note
-This document only support masking logs for Windows source template. Refer to [Mask Rules](mask-rules.md) to mask logs for other source template.
+This document supports masking logs specifically for our [Windows source template](/docs/send-data/opentelemetry-collector/remote-management/source-templates/windows). For other source templates, refer to [Mask Rules](mask-rules.md).
 :::
 
-A mask rule is a type of processing rule that hides irrelevant or sensitive information from logs before they are ingested. When you create a mask rule, the selected key will have its value matched against a regex pattern, which will then be replaced with a mask string before being sent to Sumo Logic. You can provide a custom mask string or use the default string, `"#####"`.
+A mask rule is a type of processing rule that hides irrelevant or sensitive information from logs before they are ingested. When you create a mask rule:
+
+* The selected key’s value is matched against a regular expression (regex).
+* The matching portion is replaced with a mask string before being sent to Sumo Logic.
+* You can provide a custom mask string or use the default mask string: `"#####"`.
+
+Masking is an effective method for reducing overall ingestion volume. Ingestion volume is calculated after applying the mask filter. If masking reduces the log size, the smaller size will be considered against the ingestion limits.
 
-Ingestion volume is calculated after applying the mask filter. If masking reduces the log size, the smaller size will be considered against the ingestion limits. Masking is an effective method for reducing overall ingestion volume.
+## Masking inputs
 
 To mask specific fields in the Windows Event Log, the following inputs are required:
-- **Key**. This should point to the key in the Windows Event Log for which the value needs to be masked.  This key can be nested, with each level separated by a dot(.). For example, `provider.guid`.
-- **Regex**. This identifies the part of the string value that needs to be masked.
-- ** Replacement **. This is to get the string that will be substituted in place of the string that was selected through the regex expression.
+- **Key**. This should point to the key in the Windows Event Log for which the value needs to be masked. This key can be nested, with each level separated by a dot (`.`). For example, `provider.guid`.
+- **Regex**. This pattern identifies the part of the string value that needs to be masked.
+- **Replacement**. The string to substitute for the matching portion identified by the regex.
 
 :::important
 Any masking expression should be tested and verified with a sample source file before applying it to your production logs.
 :::
 
+## Examples
+
+### Masking numbers in a nested field
+
 For example, to mask numbers inside `guid` under `provider` field from this log:
 
 ```
@@ -89,8 +94,7 @@ You could use the following masking expression input:
 
 Using the above masking options would provide the following result:
 
-```
-{
+`{
   "record_id": 163054,
   "channel": "Security",
   "event_data": {
@@ -139,17 +143,16 @@ Using the above masking options would provide the following result:
     "id": 4798
   },
   "level": "Information"
-}
-```
+}`
 
 :::note
-- For masking, we use the [replace_pattern](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/ottl/ottlfuncs/README.md#replace_pattern) OTTL function. In this function:
-   - $ must be escaped as $$ to bypass environment variable substitution logic.
-   - To input a literal $, use $$$.
+- Masking utilizes the [replace_pattern](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/ottl/ottlfuncs/README.md#replace_pattern) OTTL function. In this function:
+   - Escape `$` as `$$` to bypass environment variable substitution logic.
+   - Use `$$$` to include a literal `$`.
 - When masking strings containing special characters like double quotes (`"`) and backslashes (`\`), these characters will be escaped by a backslash when masking the logs.
 :::
 
 ## Limitations
 
 - You can *only* mask the data which is a string in the Windows event log JSON.
-- You cannot mask a value which is nested inside any array.
+- You cannot mask a value that is nested inside any array.

docs/send-data/opentelemetry-collector/remote-management/processing-rules/mask-rules.md

@@ -3,35 +3,28 @@ id: mask-rules
 title: Mask Rules
 description: Create a mask rule to replace an expression with a mask string.
 ---
-<head>
-  <meta name="robots" content="noindex" />
-</head>
-
-<p><a href="/docs/beta"><span className="beta">Beta</span></a></p>
 
 :::note
-This document do not support masking logs for Windows source template. Refer to [Mask Rules for Windows Source Template](mask-rules-windows.md) to mask logs for Windows source template.
+This document does not cover masking logs for Windows source templates. For details on masking logs for Windows, refer to [Mask Rules for the Windows Source Template](mask-rules-windows.md).
 :::
 
-A mask rule is a type of processing rule that hides irrelevant or sensitive information from logs before ingestion. When you create a mask rule, whatever expression you choose to mask will be replaced with a mask string before it is sent to Sumo Logic. You can provide a mask string, or use the default `"#####"`.
+A mask rule is a processing rule that hides irrelevant or sensitive information from logs before they are ingested. When you create a mask rule, the selected expression will be replaced with a mask string before the data is sent to Sumo Logic. You can either specify a custom mask string or use the default `"#####"`.
 
-Ingestion volume is calculated after applying the mask filter. If the mask reduces the size of the log, the smaller size will be measured against ingestion limits. Masking is a good method for reducing overall ingestion volume.
+Ingestion volume is calculated after applying the mask filter. If the mask reduces the size of the log, the smaller size will be measured against ingestion limits. Masking is an effective method to reduce overall ingestion volume.
 
 For example, to mask the email address `[email protected]` from this log:
 
-```
-2018-05-16 09:43:39,607 -0700 DEBUG [hostId=prod-cass-raw-8] [module=RAW] [logger=scala.raw.InboundRawProtocolHandler] [auth=User:[email protected]] [remote_ip=98.248.40.103] [web_session=19zefhqy...] [session=80F1BD83AEBDF4FB] [customer=0000000000000005] [call=InboundRawProtocol.getMessages]
-```
+`2018-05-16 09:43:39,607 -0700 DEBUG [hostId=prod-cass-raw-8] [module=RAW] [logger=scala.raw.InboundRawProtocolHandler] [auth=User:[email protected]] [remote_ip=98.248.40.103] [web_session=19zefhqy...] [session=80F1BD83AEBDF4FB] [customer=0000000000000005] [call=InboundRawProtocol.getMessages]`
 
 You could use the following filter expression:
 
-```
+```sh
 auth=User:.*\.com
 ```
 
-Using the masking string `auth=User:AAA` would provide the following result:
+Using the masking string `auth=User:AAA` would produce the following result:
 
-```
+```sh
 2018-05-16 09:43:39,607 -0700 DEBUG [hostId=prod-cass-raw-8] [module=RAW] [logger=scala.raw.InboundRawProtocolHandler] [auth=User:AAA] [remote_ip=98.248.40.103] [web_session=19zefhqy...] [session=80F1BD83AEBDF4FB] [customer=0000000000000005] [call=InboundRawProtocol.getMessages]
 ```
 
@@ -41,50 +34,46 @@ Using the masking string `auth=User:AAA` would provide the following result:
 
     For example, this log message:
 
-    ```
-    {
+    `{
       "reqHdr":{
         "auth":"Basic ksoe9wudkej2lfj*jshd6sl.cmei=",
         "cookie":"$Version=0; JSESSIONID=6C1BR5DAB897346B70FD2CA7SD4639.localhost_bc; $Path=/"
       }
-    }
-    ```
+    }`
 
     You would use the following as a mask expression to mask the auth parameter's token:
 
     ```
     "auth"\s*:\s*"Basic\s*[^"]+"
     ```
 
-    If the masking string given here is `"auth":"#####"`, then the log output will be:
+    Applying the masking string `"auth":"#####"`, the log output will be:
 
-    ```
-    {
+    `{
       "reqHdr": {
         "auth":"#####",
         "cookie":"$Version=0; JSESSIONID=6C1BR5DAB897346B70FD2CA7SD4639.localhost_bc; $Path=/"
       }
-    }
-    ```
+    }`
 
 * Do not unnecessarily match on more of the log than needed. As seen in the previous example, avoid using overly broad expressions that could mask the entire log. This ensures that only the sensitive information is masked, not the whole log entry.
 
     ```
     (?s).*auth"\s*:\s*"Basic\s*([^"]+)".*(?s)
     ```
 
-* Make sure you do not specify a regular expression that matches a full log line. Doing so will result in the entire log line being masked.
+* Avoid regular expressions that match an entire log line, as this will result in the entire line being masked.
 
-* If you need to mask values on multiple lines, use single-line modifiers (?s). For example:
+* To mask values spanning multiple lines, use the single-line modifier `(?s)`. For example:
 
     ```
     auth=User\:(.*(?s).*session=.*?)\]
     ```
 
 :::note
-- For masking, we use the [replace_pattern](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/ottl/ottlfuncs/README.md#replace_pattern) OTTL function. In this function:
-   - $ must be escaped as $$ to bypass environment variable substitution logic.
-   - To input a literal $, use $$$.
+- Masking utilizes the [replace_pattern](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/ottl/ottlfuncs/README.md#replace_pattern) OTTL function. In this function:
+   - Escape `$` as `$$` to bypass environment variable substitution logic.
+   - Use `$$$` to include a literal `$`.
 - When masking strings containing special characters like double quotes (`"`) and backslashes (`\`), these characters will be escaped by a backslash when masking the logs.
 :::
 
@@ -98,6 +87,8 @@ Any masking expression should be tested and verified with a sample source file b
 
 You can mask credit card numbers from log messages using a regular expression within a mask rule. Once masked with a known string, you can then perform a search for that string within your logs to detect if credit card numbers may be leaking into your log files.
 
+To mask credit card numbers in logs, you can use a masking filter with the following regular expression:
+
 The following regular expression can be used within a masking filter to mask American Express, Visa (16 digit only), Mastercard, and Discover credit card numbers:
 
 ```
@@ -108,7 +99,7 @@ This regular expression covers instances where the number includes dashes, space
 
 Samples include:
 
-* **American Express:** 3711-078176-01234  \|  371107817601234  \|  3711 078176 01234
-* **Visa:** 4123-5123-6123-7123  \|  4123512361237123  \|  4123 5123 6123 7123
-* **Master Card:** 5123-4123-6123-7123  \|  5123412361237123  \|  5123 4123 6123 7123
-* **Discover:** 6011-0009-9013-9424  \|  6500000000000002  \|  6011 0009 9013 9424
+* **American Express**. 3711-078176-01234  \|  371107817601234  \|  3711 078176 01234
+* **Visa**. 4123-5123-6123-7123  \|  4123512361237123  \|  4123 5123 6123 7123
+* **Master Card**. 5123-4123-6123-7123  \|  5123412361237123  \|  5123 4123 6123 7123
+* **Discover**. 6011-0009-9013-9424  \|  6500000000000002  \|  6011 0009 9013 9424