Sanitizing log files

Another way to prevent unauthorized access to sensitive information in log files is to remove or obscure that information.

The sanitize-log tool can be used to accomplish this. It classifies each log field into one of three categories found in the following table.

To sanitize log content as it’s being written, see Log sanitization.

Category Description

Category	Description
Preserve	The value of the field is preserved as it appeared in the log message. The `sanitize-log` tool is preconfigured with a set of log fields that should not contain any sensitive information and are considered safe to preserve, but you can add additional fields to this set using the `--preserveField` argument.
Tokenize	The value of the field is converted into a token, which is a number surrounded by curly braces (for example, the first tokenized value is “{1}”, the second is “{2}”, and so on). If the field value appears to be a DN or search filter, then only attribute values in that DN or filter are tokenized; otherwise, the entire value is tokenized. The same token is used for the same value every time it appears in a log file, which can make it easier to correlate information across operations without revealing what the value actually is. The tool is preconfigured with a set of log fields that are appropriate for tokenization, but you can add additional fields to this set with the `--tokenizeField` argument.
Redact	The entire value of the field will be replaced with the string `---REDACTED---`. Any field that is not marked for preservation or tokenization is automatically redacted. If you want to redact a field whose value would otherwise be preserved or tokenzied by default, you can use the `--redactField` argument.

Preserve

The value of the field is preserved as it appeared in the log message. The sanitize-log tool is preconfigured with a set of log fields that should not contain any sensitive information and are considered safe to preserve, but you can add additional fields to this set using the --preserveField argument.

Tokenize

The value of the field is converted into a token, which is a number surrounded by curly braces (for example, the first tokenized value is “{1}”, the second is “{2}”, and so on). If the field value appears to be a DN or search filter, then only attribute values in that DN or filter are tokenized; otherwise, the entire value is tokenized. The same token is used for the same value every time it appears in a log file, which can make it easier to correlate information across operations without revealing what the value actually is. The tool is preconfigured with a set of log fields that are appropriate for tokenization, but you can add additional fields to this set with the --tokenizeField argument.

Redact

The entire value of the field will be replaced with the string ---REDACTED---. Any field that is not marked for preservation or tokenization is automatically redacted. If you want to redact a field whose value would otherwise be preserved or tokenzied by default, you can use the --redactField argument.

The sanitize-log tool automatically detects whether the log file is encrypted or compressed, and you can also optionally encrypt or compress the output. It provides the following arguments in support of this.

Argument Description

Argument	Description
`--inputEncryptionPassphraseFile`	Specifies the path to a file containing the passphrase needed to decrypt the contents of the log file. This is generally not needed, as log files are encrypted with a key from the encryption settings database and the `sanitize-log` tool can automatically obtain the appropriate key from that database. However, if that key is not available for some reason, you can use this argument to provide the necessary passphrase.
`--compressOutput`	Indicates that the sanitized output should be compressed.
`--encryptOutput`	Indicates that the sanitized output should be encrypted.
`--outputEncryptionPassphraseFile`	Specifies the path to a file containing the passphrase that is used to encrypt the sanitized output. If this argument is not provided but the -`-encryptOutput` argument is given, then the tool interactively prompts for the passphrase.

--inputEncryptionPassphraseFile

Specifies the path to a file containing the passphrase needed to decrypt the contents of the log file. This is generally not needed, as log files are encrypted with a key from the encryption settings database and the sanitize-log tool can automatically obtain the appropriate key from that database. However, if that key is not available for some reason, you can use this argument to provide the necessary passphrase.

--compressOutput

Indicates that the sanitized output should be compressed.

--encryptOutput

Indicates that the sanitized output should be encrypted.

--outputEncryptionPassphraseFile

Specifies the path to a file containing the passphrase that is used to encrypt the sanitized output. If this argument is not provided but the --encryptOutput argument is given, then the tool interactively prompts for the passphrase.

PingDirectory

Sanitizing log files