# Logging Redaction

ESS supports configurable redaction of JSON log messages.

## Configure Redaction Rules

For an ESS service, operators can configure various **`INRUPT_LOGGING_REDACTION_{NAME}_`** settings to create the redaction rules.

To specify a rule for an ESS service, the operator:

1. Determines a **`{NAME}`** to use for the redaction rule. See also [Uniqueness of Rule Name](#uniqueness-of-rule-name).
2. Determines the target of the redaction rule by setting one of the following configurations for the service:

   <table><thead><tr><th width="381.6463623046875">Configuration</th><th>Description</th></tr></thead><tbody><tr><td><strong><code>INRUPT_LOGGING_REDACTION_{NAME}_FIELD</code></strong></td><td>To target a specific log message field.</td></tr><tr><td><strong><code>INRUPT_LOGGING_REDACTION_{NAME}_PATTERN</code></strong></td><td>To target log message text that matches a specified pattern.</td></tr><tr><td><strong><code>INRUPT_LOGGING_REDACTION_{NAME}_EXCEPTION</code></strong></td><td>To target an exception message class.</td></tr></tbody></table>
3. Specify the action in **`INRUPT_LOGGING_REDACTION_{NAME}_ACTION`** :

   <table data-header-hidden><thead><tr><th width="157.77734375">Action</th><th>Description</th></tr></thead><tbody><tr><td><strong><code>REPLACE</code></strong></td><td><em>Default.</em> Replaces the matching text with a specified replacement.</td></tr><tr><td><strong><code>PLAIN</code></strong></td><td>Leaves the matching field unprocessed. Only available if the redaction target is a field (i.e., <strong><code>INRUPT_LOGGING_REDACTION_{NAME}_FIEL</code></strong><code>D</code>).</td></tr><tr><td><strong><code>DROP</code></strong></td><td>Suppresses the matching field. Only available if the redaction target is a field (i.e., <strong><code>INRUPT_LOGGING_REDACTION_{NAME}_FIELD</code></strong>).</td></tr><tr><td><strong><code>PRIORITIZE</code></strong></td><td>Changes the log level of the matching message.</td></tr><tr><td><strong><code>SHA256</code></strong></td><td>Replaces the matching text with its hash.</td></tr></tbody></table>
4. Specifies any associated configuration for the specified action:

* If the action is **`REPLACE`** , the operator can specify **`INRUPT_LOGGING_REDACTION_{NAME}_REPLACEMENT`** (or use the default **`[REDACTED]`** ).
* If the action is to **`PRIORITIZE`** , the operator can specify the **`INRUPT_LOGGING_REDACTION_{NAME}_LEVEL`** (or use the default **`DEBUG`** ).

## Considerations

### Uniqueness of Rule Name

Configurations with the same name, including redaction configurations, override the preceding value. For example, assume an operator has created the following redaction configuration for a service:

| Configuration                               | Value        |
| ------------------------------------------- | ------------ |
| **`INRUPT_LOGGING_REDACTION_RULE1_FIELD`**  | **`userid`** |
| **`INRUPT_LOGGING_REDACTION_RULE1_ACTION`** | **`PLAIN`**  |

These configurations create a configuration rule that:

* Targets the field **`userid`** and
* Uses the **`PLAIN`** action, which leaves the **`userid`** value as is.

If later on, the operator wants to update the target field to **`username`** instead of **`userid`** , the operator can update **`INRUPT_LOGGING_REDACTION_RULE1_FIELD`** configuration value to **`username`** .

With this configuration update, the updated configuration rule now:

* Targets the field **`username`** and
* Uses the **`PLAIN`** action, which leaves the **`username`** value as is.

**However**, consider if another operator wants to create a new redaction rule for this service. If this operator also uses **`RULE1`** for the **`{NAME}`** and decides to use the default **`replace`** action, the operator may decide to only set the following configuration:

| Configuration                              | Value          |
| ------------------------------------------ | -------------- |
| **`INRUPT_LOGGING_REDACTION_RULE1_FIELD`** | **`password`** |

The second operator may assume that with this configuration, the redaction rule will use the default **`replace`** action with the default replacement **`[REDACTED]`** . Instead, the service has the following configurations in place:

| Configuration                               | Value          |
| ------------------------------------------- | -------------- |
| **`INRUPT_LOGGING_REDACTION_RULE1_FIELD`**  | **`password`** |
| **`INRUPT_LOGGING_REDACTION_RULE1_ACTION`** | **`PLAIN`**    |

Because the redaction configurations depend on a user-specified **`{NAME}`** :

* Ensure the uniqueness of the **`{NAME}`** when creating new redaction rules.
* Explicitly specify the action.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inrupt.com/ess/2.3/administration/logging/logging-redaction.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.