Customizing log field syntaxes
Use customized, syntax-based log sanitization to make results as useful as possible while preserving the privacy of sensitive content.
About this task
The following log field syntaxes are supported by the log sanitization functionality:
-
String
-
String list
-
Boolean
-
Integer
-
Floating-point number
-
Distinguished name (DN)
-
LDAP search filter
-
JSON object
-
Generalized time timestamp
-
RFC 3339 timestamp
The following values are accepted for the default-behavior
property:
-
preserve
-
omit
-
redact-entire-value
-
redact-value-components
-
tokenize-entire-value
-
tokenize-value-components
For more information on the behavior of each value, see Log sanitization options. |
Steps
-
To update the default configuration for log field syntax behavior, run
dsconfig set-log-field-syntax-prop
.Example:
The following example updates the DN syntax to indicate that DNs should use component-based redaction by default through the
--set default-behavior
option, but only for a specific set of attributes, using the--set included-sensitive-attribute
option:dsconfig set-log-field-syntax-prop \ --syntax-name "Distinguished Name" \ --set default-behavior:redact-value-components \ --set included-sensitive-attribute:uid \ --set included-sensitive-attribute:givenName \ --set included-sensitive-attribute:sn \ --set included-sensitive-attribute:cn \ --set included-sensitive-attribute:mail
Unless overridden by a more specific log field behavior configuration, any
uid
,givenName
,sn
,cn
, ormail
attribute values that appear in DNs are redacted, while keeping the rest of the DN intact.For example, a DN of
uid=jdoe,ou=People,dc=example,dc=com
, might be logged asuid={REDACTED},ou=People,dc=example,dc=com
.For more information on including or excluding specific attributes and fields, see Log sanitization options.
-
To finalize your changes, restart the server:
bin/stop-server --restart