How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I filter information included in logs in IG 5.x and 6.x?

Last updated Apr 7, 2021

The purpose of this article is to provide information on filtering the IG logs to determine what information is logged. Filtering allows you to mask sensitive information in the logs such as passwords and session tokens. This information applies to capture logs for routes and audit logs.


4 readers recommend this article

Background Information

Capture logs

IG logs everything contained in the entity by default, which means you need to mask sensitive information such as passwords to prevent them from being disclosed in the logs:

Audit logs

Filtering information in the capture logs (pre-IG 7)

You can include the Logback replace(p){r, t} function in the pattern section of the logback.xml file in the IG configuration directory, which by default is $HOME/.openig/config/. See Logback Layouts › Replace for further information about this function.

Note

Using the replace(p){r, t} function will increase the logging overhead as IG will have to parse the entire message; you should only apply it to selective routes where you need this feature rather than to all routes.

The following example demonstrates using this function to replace passwords (this example is based on the default ConsoleAppender in the logback.xml file):

<encoder> <pattern>%nopex[%thread] %highlight(%-5level) %boldWhite(%logger{35}) - %replace(%message){'"X-OpenIDM-Password": ".*"', '"X-OpenIDM-Password": "xxx"'} %n%highlight(%rootException{short}) </pattern> </encoder>

You can also nest replace calls, for example:

%replace(%replace(%message){'regex1', 'replacement1'}){'regex2', 'replacement2'}

You can use websites such as Online Regex Tester to test your regular expressions for any other replacement changes you want to include.

Filtering information in the audit logs (pre-IG 7)

You can include a filter policy in your AuditService configuration to exclude sensitive information. See Configuration Reference › AuditService for a suggested list of filters you should include. You can include as many or as few of these as required, plus any additional ones you need. The important thing is to ensure you include the path to the header, for example: /access/http/request/headers/.

The following example demonstrates using the filter policy to exclude the X-OpenAM-Password header from the audit logs:

"auditService": { "type": "AuditService", "config": { "config": { "filterPolicies" : { "field" : { "excludeIf" : [ "/access/http/request/headers/X-OpenAM-Password" ] } } }, "event-handlers": [{ "class": "org.forgerock.audit.handlers.json.JsonAuditEventHandler", "config": { "name": "json", "logDirectory": "/tmp/logs", "topics": [ "access" ] } }] } },

See Also

How do I generate more detailed debug logs to diagnose an issue in IG (All versions)?

Gateway Guide › Logging Events

Gateway Guide › Reference Logback Configuration

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.