Sanitize the contents of a server log file in order to remove potentially sensitive information while still attempting to retain enough information to make it useful for diagnosing problems or understanding load patterns. The sanitization process operates on fields that consist of name-value pairs. The field name will always be preserved, but field values may be tokenized or redacted if they may include sensitive information. Supported log file types include the file-based access, error, sync, and resync logs, as well as the operation timing access log and the detailed HTTP operation log. The audit log can be sanitized using the scramble-ldif tool.
sanitize-log --inputFile logs/access --outputFile logs/access.sanitized \ --preserveComments
sanitize-log --inputFile logs/access --outputFile logs/access.sanitized \ --displayUnparseableLines --tokenizeField pipe --redactField instanceName
sanitize-log --inputFile logs/errors.json \ --outputFile logs/errors.json.sanitized --json
-V
--version
Description | Display Directory Server version information |
-H
--help
Description | Display general usage information |
--help-debug
Description | Display help for using debug options |
Advanced | Yes |
-i {path}
--inputFile {path}
Description | The path to the log file containing the data to be sanitized |
Required | Yes |
Multi-Valued | No |
--inputEncryptionPassphraseFile {path}
Description | The path to a file that contains the encryption passphrase needed to decrypt the input file if it is encrypted. If the input file is encrypted and this argument is not provided, then the tool will interactively prompt for the encryption passphrase. If a passphrase file is provided, then it must contain exactly one line that consists entirely of the passphrase |
Required | No |
Multi-Valued | No |
-o {path}
--outputFile {path}
Description | The path to the log file to which the sanitized log data should be written. If this is not specified, then the output file will use the same name as the input file, but with a '.sanitized' extension |
Required | No |
Multi-Valued | No |
--compressOutput
Description | GZIP-Compress the data written to the output file |
--encryptOutput
Description | Encrypt the data written to the output file. if the --outputEncryptionPassphraseFile argument is provided, then that passphrase will be used to encrypt the file; otherwise, the tool will interactively prompt for the passphrase |
--outputEncryptionPassphraseFile {path}
Description | The path to a file that contains the encryption passphrase needed to encrypt the output file if the --encryptOutput argument is provided. If the output is to be encrypted but no passphrase file is provided, then the tool will interactively prompt for the passphrase. If a passphrase file is given, then it must contain exactly one line that consists entirely of the passphrase |
Required | No |
Multi-Valued | No |
-j
--json
Description | Indicates that the log file is JSON-formatted |
-p {name}
--preserveField {name}
Description | The name of a log field whose value should be preserved without alteration. The default set of fields to preserve is: authenticationFailureReason, authFailureID, authorizationType, assuranceTimeoutMillis, assuredReplicationRequirements, attr, attribute, attrs, attributes, attrsReturned, authType, authenticationType, category, changeNumber, changeToSoftDeletedEntry, cipher, class, clientConnectionPolicy, conn, connectionID, deleteOldRDN, deref, dereferenceAliases, disconnectReason, entriesAddedToTarget, entriesDeletedFromSource, entriesReadFromSource, entriesReturned, etime, id, idToAbandon, indexesWithKeysAccessedExceedingEntryLimit, indexesWithKeysAccessedNearEntryLimit, intermediateResponsesReturned, isIndexed, localAssuranceLevel, localAssuranceSatisfied, messageID, messageType, method, missingPrivileges, mostExpensiveAggregatePhase, mostExpensiveAggregatePhaseTimeMicros, mostExpensivePhase, mostExpensivePhaseTimeMicros, msgID, name, negotiationProperties, oid, op, opID, operationID, operationType, origin, originDetails, phaseTimesMicros, pipe, preAuthorizationUsedPrivileges, processingTimeMillis, product, protocol, protocolVersion, qtime, rebalancingOp, rebalancingOperationID, remoteAssuranceLevel, remoteAssuranceSatisfied, replicaID, replicationChangeID, replicationCSN, replicationServerID, requestContentLength, requestContentType, requestControlOIDs, requestControls, requestCookieName, requestHeaderName, requestID, requestOID, requestParameterName, requestProtocol, requestType, requestedAttributes, requestedSizeLimit, requestedTimeSizeLimitSSeconds, responseContentLength, responseContentType, responseControlOIDs, responseControls, responseCookieName, responseDelayedByAssurance, responseHeaderName, responseOID, responseType, resultCode, resultCodeName, retiredPasswordUsed, saslMechanism, scope, scopeName, serverAssuranceResults, severity, sizeLimit, sourceAltered, sourceServerAltered, startupID, statusCode, syncClass, threadID, targetAltered, targetProtocol, targetServerAltered, timestamp, timeLimit, triggeredByConn, triggeredByConnectionID, triggeredByOp, triggeredByOperationID, typesOnly, uncachedDataAccessed, unindexed, usedPrivileges, usingAdminSessionWorkerThread, version, workQueueWaitTimeMillis |
Required | No |
Multi-Valued | Yes |
-t {name}
--tokenizeField {name}
Description | The name of a log field whose value should be tokenized. If the value of the specified field appears to be a DN or filter, then the attribute names will be preserved and only the values will be tokenized. If the value of the field does not appear to be a DN or filter, then the entire value will be tokenized. The default set of fields to tokenize is: authDN, authenticationDN, authorizationDN, authzDN, autoAuthenticatedAs, base, baseDN, dn, filter, from, fromAddress, instanceName, matchedDN, newRDN, newSuperior, redirectURI, requesterDN, requesterIP, softDeleteEntryDN, sourceBackendSet, sourceServer, targetBackendSet, targetHost, targetPort, targetServer, to, toAddress, toPort, undeleteFromDN, undeletedFromDN, url |
Required | No |
Multi-Valued | Yes |
-r {name}
--redactField {name}
Description | The name of a log field whose value should be redacted. Any field not configured to be preserved or tokenized will be redacted |
Required | No |
Multi-Valued | Yes |
-c
--preserveComments
Description | Indicates that comment lines (i.e., any line beginning with the '#' character) and blank lines should be included in the sanitized output. If comment lines are to be included, then they will not be altered |
-d
--displayUnparseableLines
Description | Display a message for each line contained in the log file that cannot be parsed as a valid log message |
--interactive
Description | Launch the tool in interactive mode. |
--propertiesFilePath {path}
Description | The path to a properties file used to specify default values for arguments not supplied on the command line. |
Required | No |
Multi-Valued | No |
--generatePropertiesFile {path}
Description | Write an empty properties file that may be used to specify default values for arguments. |
Required | No |
Multi-Valued | No |
--noPropertiesFile
Description | Do not obtain any argument values from a properties file. |
--suppressPropertiesFileComment
Description | Suppress output listing the arguments obtained from a properties file. |