---
title: Customizing log field syntaxes
description: Use customized, syntax-based log sanitization to make results as useful as possible while preserving the privacy of sensitive content.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_customizing_log_field_syntaxes
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_customizing_log_field_syntaxes.html
revdate: September 13, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
---

# Customizing log field syntaxes

Use customized, syntax-based log sanitization to make results as useful as possible while preserving the privacy of sensitive content.

## About this task

The following log field syntaxes are supported by the log sanitization functionality:

* String

* String list

* Boolean

* Integer

* Floating-point number

* Distinguished name (DN)

* LDAP search filter

* JSON object

* Generalized time timestamp

* [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339) timestamp

The following values are accepted for the `default-behavior` property:

* `preserve`

* `omit`

* `redact-entire-value`

* `redact-value-components`

* `tokenize-entire-value`

* `tokenize-value-components`

|   |                                                                                                                        |
| - | ---------------------------------------------------------------------------------------------------------------------- |
|   | For more information on the behavior of each value, see [Log sanitization options](pd_ds_log_sanitization_types.html). |

## Steps

1. To update the default configuration for log field syntax behavior, run `dsconfig set-log-field-syntax-prop`.

   ### Example:

   The following example updates the DN syntax to indicate that DNs should use component-based redaction by default through the `--set default-behavior` option, but only for a specific set of attributes, using the `--set included-sensitive-attribute` option:

   ```
   dsconfig set-log-field-syntax-prop \
        --syntax-name "Distinguished Name" \
        --set default-behavior:redact-value-components \
        --set included-sensitive-attribute:uid \
        --set included-sensitive-attribute:givenName \
        --set included-sensitive-attribute:sn \
        --set included-sensitive-attribute:cn \
        --set included-sensitive-attribute:mail
   ```

   |   |                                                                                                                                                                                                                                                                                                                                              |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Unless overridden by a more specific log field behavior configuration, any `uid`, `givenName`, `sn`, `cn`, or `mail` attribute values that appear in DNs are redacted, while keeping the rest of the DN intact.For example, a DN of `uid=jdoe,ou=People,dc=example,dc=com`, might be logged as `uid={REDACTED},ou=People,dc=example,dc=com`. |

   For more information on including or excluding specific attributes and fields, see [Log sanitization options](pd_ds_log_sanitization_types.html).

2. To finalize your changes, restart the server:

   ```
   bin/stop-server --restart
   ```