DOCS-8276: Log Redaction with redactClientLogData

Author: ravindk89

source/administration/monitoring.txt

@@ -264,7 +264,7 @@ a paid subscription.
 
      - |MMS| is a cloud-based suite of services for managing MongoDB
        deployments. |MMS| provides monitoring, backup, and automation
-       functionality. For an on-premise solution, see also 
+       functionality. For an on-premise solution, see also
        :products:`Ops Manager, available in MongoDB Enterprise Advanced
        </mongodb-enterprise-advanced?jmp=docs>`.
 
@@ -354,6 +354,61 @@ affect logging:
 - :dbcommand:`logRotate`. Rotates the log files for :program:`mongod`
   processes only. See :doc:`/tutorial/rotate-log-files`.
 
+.. _monitoring-log-redaction:
+
+Log Redaction
+~~~~~~~~~~~~~
+
+.. versionadded:: 3.4 Available in MongoDB Enterprise only
+
+A :program:`mongod` running with :setting:`security.redactClientLogData`
+redacts :doc:`messages </reference/log-messages>` associated with any given
+log event before logging, leaving only metadata, source files, or line numbers
+related to the event. :setting:`security.redactClientLogData` prevents
+potentially sensitive information from entering the system log at the cost of
+diagnostic detail.
+
+For example, the following operation inserts a document into a 
+:program:`mongod` running without log redaction. The :program:`mongod` 
+has :setting:`systemLog.component.query.verbosity` set to ``0``:
+
+.. code-block:: javascript
+
+   db.clients.insertOne( { "name" : Joe, "PII" : "Sensitive Information" } )
+   
+This operation produces the following log event:
+
+.. code-block:: text
+
+   2016-09-23T13:51:43.572-0400 I COMMAND  [conn1] command employeeData.directory 
+      appName: "MongoDB Shell" 
+      command: insert {
+         insert: "directory", 
+         documents: [ 
+            { 
+               _id: ObjectId('57e56baf6a71e2b785153aec'), 
+               name: "Joe", 
+               PII: "Sensitive Information" 
+            } 
+         ],
+         ...
+
+A :program:`mongod` running with :setting:`security.redactClientLogData` 
+performing the same insert operation produces the following log event:
+
+.. note:: 
+
+   The exact redacted output may change leading up to the MongoDB 3.4 release.
+   This output is based on the 3.3 development series build.
+
+.. code-block:: text
+
+   2016-09-23T13:51:43.572-0400 I COMMAND  [conn1] ###
+   
+Use :setting:`~security.redactClientLogData` in conjunction with
+:doc:`encryption </core/security-encryption>` to assist compliance with
+regulatory requirements.
+
 Diagnosing Performance Issues
 -----------------------------
 
@@ -497,7 +552,7 @@ using this lock.
 
    .. toctree::
       :titlesonly:
-      
+
       /tutorial/monitor-with-snmp
       /tutorial/monitor-with-snmp-on-windows
-      /tutorial/troubleshoot-snmp
+      /tutorial/troubleshoot-snmp

source/core/security-encryption-at-rest.txt

@@ -99,6 +99,25 @@ transport encryption.
 
 For details, see :ref:`rotate-encryption-keys`.
 
+Logging
+~~~~~~~
+
+.. versionadded:: 3.4 Available in MongoDB Enterprise only
+
+The log file is not encrypted as a part of MongoDB's encrypted storage engine.
+A :program:`mongod` running with :ref:`logging <monitoring-standard-loggging>`
+may output potentially sensitive information to log files as a part of normal
+operations, depending on the configured :ref:`log verbosity
+<log-messages-configure-verbosity>`.
+
+MongoDB 3.4 Enterprise provides the :setting:`security.redactClientLogData`
+setting to prevent potentially sensitive information from entering the
+:program:`mongod` process log. :setting:`~security.redactClientLogData`
+reduces detail in the log and may complicate log diagnostics.
+
+See the :ref:`log redaction <monitoring-log-redaction>` manual entry for
+more information.
+
 .. _app-level-encryption:
 
 Application Level Encryption
@@ -107,7 +126,7 @@ Application Level Encryption
 Application Level Encryption provides encryption on a per-field or
 per-document basis within the application layer. To encrypt document or
 field level data, write custom encryption and decryption routines or
-use a commercial solution. 
+use a commercial solution.
 
 .. include:: /includes/partners-security.rst
 
@@ -118,3 +137,4 @@ use a commercial solution.
 
       /tutorial/configure-encryption
       /tutorial/rotate-encryption-key
+

source/includes/options-conf.yaml

@@ -1786,4 +1786,15 @@ inherit:
   name: inMemorySizeGB
   program: mongod
   file: options-mongod.yaml
+---
+program: conf
+name: security.redactClientLogData
+type: boolean
+directive: setting
+inherit:
+  name: redactClientLogData
+  program: mongod
+  file: options-mongod.yaml
+replacement:
+  program: :program:`mongod`
 ...

source/includes/options-mongod.yaml

@@ -2164,4 +2164,37 @@ description: |
      prior to restarting {{program}} without {{role}}.
 
 optional: true
+---
+program: mongod
+name: redactClientLogData
+args: null
+directive: option
+description: |
+  .. versionadded:: 3.4 Available in MongoDB Enterprise only.
+  
+  A {{program}} running with {{role}} redacts any message accompanying a given
+  log event before logging. This prevents the {{program}} from writing
+  potentially sensitive data stored on the database to the diagnostic log.
+  Metadata such as error or operation codes, line numbers, and source file
+  names are still visible in the logs.
+  
+  Use {{role}} in conjunction with :doc:`encryption
+  </core/security-encryption>` to assist compliance with regulatory
+  requirements.
+  
+  For example, a {{program}} might store Personally Identifiable Information
+  (PII) in one or more collections. The {{program}} logs events related to CRUD
+  operations, sharding metadata, or replication information. It is possible
+  that the {{program}} may expose PII as a part of these logging operations.
+  A {{program}} running with {{role}} removes any message accompanying
+  these events before being output to the log, effectively removing the PII.
+  
+  Diagnostics on a {{mongod}} running with {{role}} may be more difficult
+  due to the lack of data related to a log event. See the 
+  :ref:`process logging <monitoring-log-redaction>` manual page for an 
+  example of the effect of {{role}} on log output.
+  
+  You can toggle {{role}} on or off using :dbcommand:`setParameter` during
+  runtime.
+  
 ...

source/reference/configuration-options.txt

@@ -349,8 +349,9 @@ Core Options
       keyFile: <string>
       clusterAuthMode: <string>
       authorization: <string>
-      transitionToAuth: <bool>
+      transitionToAuth: <boolean>
       javascriptEnabled:  <boolean>
+      redactClientLogData: <boolean>
       sasl:
          hostName: <string>
          serviceName: <string>
@@ -377,6 +378,8 @@ Core Options
 
 .. include:: /includes/option/setting-conf-security.javascriptEnabled.rst
 
+.. include:: /includes/option/setting-conf-security.redactClientLogData.rst
+
 .. _encryption-key-management-conf-options:
 
 Key Management Configuration Options

source/reference/program/mongod.txt

@@ -129,6 +129,8 @@ Core Options
 
 .. include:: /includes/option/option-mongod-shutdown.rst
 
+.. include:: /includes/option/option-mongod-redactClientLogData.rst
+
 Storage Options
 ~~~~~~~~~~~~~~~
 

source/tutorial/sharding-high-availability-writes.txt

@@ -26,7 +26,7 @@ election or datacenter failure.
 
    These concepts require familiarity with MongoDB :term:`sharded clusters
    <sharded cluster>`, :term:`replica sets <replica set>`, and the general
-   behavior of :ref:`tag-aware-sharding`.
+   behavior of :ref:`zones <zone-sharding>`.
 
    This tutorial assumes an insert-only or insert-intensive workload. The
    concepts and strategies discussed in this tutorial are not well suited for