The following log field syntaxes are supported by the log sanitization functionality:

  • String
  • String list
  • Boolean
  • Integer
  • Floating-point number
  • Distinguished name (DN)
  • LDAP search filter
  • JSON object
  • Generalized time timestamp
  • RFC 3339 timestamp

The following values are accepted for the default-behavior property:

  • preserve
  • omit
  • redact-entire-value
  • redact-value-components
  • tokenize-entire-value
  • tokenize-value-components

For more information on the behavior of each value, see Log sanitization options.

  1. To update the default configuration for log field syntax behavior, run dsconfig set-log-field-syntax-prop.

    The following example updates the DN syntax to indicate that DNs should use component-based redaction by default through the --set default-behavior option, but only for a specific set of attributes, using the --set included-sensitive-attribute option:

    dsconfig set-log-field-syntax-prop \
         --syntax-name "Distinguished Name" \
         --set default-behavior:redact-value-components \
         --set included-sensitive-attribute:uid \
         --set included-sensitive-attribute:givenName \
         --set included-sensitive-attribute:sn \
         --set included-sensitive-attribute:cn \
         --set included-sensitive-attribute:mail

    Unless overridden by a more specific log field behavior configuration, any uid, givenName, sn, cn, or mail attribute values that appear in DNs are redacted, while keeping the rest of the DN intact.

    For example, a DN of uid=jdoe,ou=People,dc=example,dc=com, might be logged as uid={REDACTED},ou=People,dc=example,dc=com.

    For more information on including or excluding specific attributes and fields, see Log sanitization options.

  2. To finalize your changes, restart the server:
    bin/stop-server --restart