How do I filter information included in logs in IG 6.x?
The purpose of this article is to provide information on filtering the IG logs to determine what information is logged. Filtering allows you to mask sensitive information in the logs such as passwords and session tokens. This information applies to capture logs for routes and audit logs.
4 readers recommend this article
Background Information
Capture logs
IG logs everything contained in the entity by default, which means you need to mask sensitive information such as passwords to prevent them from being disclosed in the logs:
- IG 7 and later - you can configure the CaptureDecorator to mask the value of headers and attributes in the logs. See CaptureDecorator for further information.
- Pre-IG 7 - you can use the Logback regex pattern swapping function: replace(p){r, t} to mask information in the logs. See Filtering information in the capture logs for further information.
Audit logs
- IG 7 and later - you can use the allowlist to specify which event fields appear in the logs by default to prevent logging of sensitive data for an event. See Safelisting Audit Event Fields for the Logs for further information.
- Pre-IG 7 - you can use a filter policy in your AuditService configuration to exclude sensitive data from log files. See Filtering information in the audit logs for further information.
Filtering information in the capture logs
You can include the Logback replace(p){r, t} function in the pattern section of the logback.xml file in the IG configuration directory, which by default is $HOME/.openig/config/. See Logback Layouts: Replace for further information about this function.
Note
Using the replace(p){r, t} function will increase the logging overhead as IG will have to parse the entire message; you should only apply it to selective routes where you need this feature rather than to all routes.
The following example demonstrates using this function to replace passwords (this example is based on the default ConsoleAppender in the logback.xml file):
<encoder> <pattern>%nopex[%thread] %highlight(%-5level) %boldWhite(%logger{35}) - %replace(%message){'"X-OpenIDM-Password": ".*"', '"X-OpenIDM-Password": "xxx"'} %n%highlight(%rootException{short}) </pattern> </encoder>You can also nest replace calls, for example:
%replace(%replace(%message){'regex1', 'replacement1'}){'regex2', 'replacement2'}You can use websites such as Online Regex Tester to test your regular expressions for any other replacement changes you want to include.
Filtering information in the audit logs
You can include a filter policy in your AuditService configuration to exclude sensitive information. See AuditService for a suggested list of filters you should include. You can include as many or as few of these as required, plus any additional ones you need. The important thing is to ensure you include the path to the header, for example: /access/http/request/headers/.
The following example demonstrates using the filter policy to exclude the X-OpenAM-Password header from the audit logs:
"auditService": { "type": "AuditService", "config": { "config": { "filterPolicies" : { "field" : { "excludeIf" : [ "/access/http/request/headers/X-OpenAM-Password" ] } } }, "event-handlers": [{ "class": "org.forgerock.audit.handlers.json.JsonAuditEventHandler", "config": { "name": "json", "logDirectory": "/tmp/logs", "topics": [ "access" ] } }] } },See Also
How do I generate more detailed debug logs to diagnose an issue in IG (All versions)?
Reference Logback Configuration
Related Training
N/A
Related Issue Tracker IDs
N/A