Customizing log field syntaxes
Use customized, syntax-based log sanitization to make results as useful as possible while preserving the privacy of sensitive content.
About this task
The following log field syntaxes are supported by the log sanitization functionality:
-
String
-
String list
-
Boolean
-
Integer
-
Floating-point number
-
Distinguished name (DN)
-
LDAP search filter
-
JSON object
-
Generalized time timestamp
-
RFC 3339 timestamp
The following values are accepted for the default-behavior property:
-
preserve -
omit -
redact-entire-value -
redact-value-components -
tokenize-entire-value -
tokenize-value-components
|
For more information on the behavior of each value, see Log sanitization options. |
Steps
-
To update the default configuration for log field syntax behavior, run
dsconfig set-log-field-syntax-prop.Example:
The following example updates the DN syntax to indicate that DNs should use component-based redaction by default through the
--set default-behavioroption, but only for a specific set of attributes, using the--set included-sensitive-attributeoption:dsconfig set-log-field-syntax-prop \ --syntax-name "Distinguished Name" \ --set default-behavior:redact-value-components \ --set included-sensitive-attribute:uid \ --set included-sensitive-attribute:givenName \ --set included-sensitive-attribute:sn \ --set included-sensitive-attribute:cn \ --set included-sensitive-attribute:mailUnless overridden by a more specific log field behavior configuration, any
uid,givenName,sn,cn, ormailattribute values that appear in DNs are redacted, while keeping the rest of the DN intact.For example, a DN of
uid=jdoe,ou=People,dc=example,dc=com, might be logged asuid={REDACTED},ou=People,dc=example,dc=com.For more information on including or excluding specific attributes and fields, see Log sanitization options.
-
To finalize your changes, restart the server:
bin/stop-server --restart