Log sanitization
The PingDirectory server allows you to sanitize information as it’s written to the access log so that you can prevent the system from logging sensitive information.
To learn about the mechanisms to protect information after it has already been logged, see Sanitizing log files. |
The PingDirectory server can sanitize log content on a field-by-field basis for default text-based (name=value
) and JSON-formatted access logs. You can also use log sanitization for any destination where these messages are written, such as log files, syslog, standard output, and standard error messages.
You can control log content for all access logs or on a per-log or per-field basis, including fields generated by third-party extensions. You can also specify a default behavior for all fields of a specified type, such as applying a default sanitization type for all distinguished names (DNs) and search filters.
Configuration elements
There are three main configuration elements for customizing log sanitization:
- Log field syntaxes
-
These define the default behavior for each syntax and can specify additional configuration for these syntaxes (for example, the included/excluded LDAP attributes for distinguished names (DNs) and filters or fields for JSON objects).
For more information, see Customizing log field syntaxes.
- Log field behaviors
-
These can be used to define specific behaviors on a per-field basis and an optional overall default behavior for fields that are not explicitly configured.
For more information, see Customizing log field behaviors.
- Access loggers
-
These can be associated with log field behaviors or can default to the log field syntax configuration.
For more information on the description of the behavior of each log sanitization option, see Log sanitization options.