Another way to prevent unauthorized access to sensitive information in log files is to remove or obscure that information.
The sanitize-log tool can be used to accomplish this. It classifies each log field into one of three categories.
Category | Description |
---|---|
Preserve |
The value of the field is preserved as it appeared in the log message. The
sanitize-log tool is preconfigured with a set
of log fields that should not contain any sensitive information and
are considered safe to preserve, but you can add additional fields
to this set using the |
Tokenize |
The value of the field is converted into a token, which is a number surrounded
by curly braces (for example, the first tokenized value is “{1}”,
the second is “{2}”, and so on). If the field value appears to be a
DN or search filter, then only attribute values in that DN or filter
are tokenized; otherwise, the entire value is tokenized. The same
token is used for the same value every time it appears in a log
file, which can make it easier to correlate information across
operations without revealing what the value actually is. The tool is
preconfigured with a set of log fields that are appropriate for
tokenization, but you can add additional fields to this set with the
|
Redact |
The entire value of the field will be replaced with the string
|
The sanitize-log tool automatically detects whether the log file is encrypted or compressed, and you can also optionally encrypt or compress the output. It provides the following arguments in support of this.
Argument | Description |
---|---|
|
Specifies the path to a file containing the passphrase needed to decrypt the contents of the log file. This is generally not needed, as log files are encrypted with a key from the encryption settings database and the sanitize-log tool can automatically obtain the appropriate key from that database. However, if that key is not available for some reason, you can use this argument to provide the necessary passphrase. |
|
Indicates that the sanitized output should be compressed. |
|
Indicates that the sanitized output should be encrypted. |
|
Specifies the path to a file containing the passphrase that is used to encrypt
the sanitized output. If this argument is not provided but the
- |