Sanitizing log files
Another way to prevent unauthorized access to sensitive information in log files is to remove or obscure that information.
The sanitize-log
tool can be used to accomplish this. It classifies each log field into one of three categories found in the following table.
To sanitize log content as it’s being written, see Log sanitization. |
Category | Description |
---|---|
Preserve |
The value of the field is preserved as it appeared in the log message. The |
Tokenize |
The value of the field is converted into a token, which is a number surrounded by curly braces (for example, the first tokenized value is “{1}”, the second is “{2}”, and so on). If the field value appears to be a DN or search filter, then only attribute values in that DN or filter are tokenized; otherwise, the entire value is tokenized. The same token is used for the same value every time it appears in a log file, which can make it easier to correlate information across operations without revealing what the value actually is. The tool is preconfigured with a set of log fields that are appropriate for tokenization, but you can add additional fields to this set with the |
Redact |
The entire value of the field will be replaced with the string |
The sanitize-log
tool automatically detects whether the log file is encrypted or compressed, and you can also optionally encrypt or compress the output. It provides the following arguments in support of this.
Argument | Description |
---|---|
|
Specifies the path to a file containing the passphrase needed to decrypt the contents of the log file. This is generally not needed, as log files are encrypted with a key from the encryption settings database and the |
|
Indicates that the sanitized output should be compressed. |
|
Indicates that the sanitized output should be encrypted. |
|
Specifies the path to a file containing the passphrase that is used to encrypt the sanitized output. If this argument is not provided but the - |