diff --git a/README.md b/README.md
index 7f83770..6fd4c54 100644
--- a/README.md
+++ b/README.md
@@ -135,19 +135,28 @@ When integrated with Monolog and CloudWatch, logs are automatically sent to Clou
### Sensitive Field Masking
-By default, the following sensitive fields have their values masked in logs:
+The module provides configurable masking of sensitive field values in entity change logs. When sensitive fields are modified, they appear in logs with masked values (e.g., `***MASKED***`) instead of actual values, providing an audit trail while protecting sensitive data.
+
+#### Default Sensitive Fields
+
+By default, the following field has its value masked:
- `pass` - User passwords
-- `uuid` - Entity UUIDs
-- `revision_timestamp` - Revision timestamps
-- `revision_uid` - Revision authors
-- `revision_log` - Revision log messages
-- `changed` - Changed timestamps
-When these fields are modified, they appear in the logs with masked values (e.g., `***MASKED***`) instead of actual values, providing an audit trail while protecting sensitive data.
+#### Configuring Sensitive Fields
+
+You can customize which fields are masked through the administrative interface:
+
+1. Navigate to **Configuration** > **Development** > **Logging and errors** (`/admin/config/development/logging`)
+2. Click on the **UCEAP Logging** tab
+3. Enter field machine names (one per line) in the "Sensitive Fields" textarea
+4. Click "Save configuration"
-Additionally, computed and internal fields are automatically excluded from logging as they are derived values.
+#### Automatically Excluded Fields
-To customize which fields are masked, modify the `$sensitive_fields` array in `_uceap_logging_get_entity_field_changes()`.
+In addition to user-configured sensitive fields, the following field types are automatically excluded from change tracking entirely:
+- Computed fields (derived values)
+- Internal fields (system-managed)
+- Specific metadata fields: `changed`, `revision_timestamp`, `revision_uid`, `revision_log`
### Logger Channels
diff --git a/config/install/uceap_logging.settings.yml b/config/install/uceap_logging.settings.yml
new file mode 100644
index 0000000..8f412ae
--- /dev/null
+++ b/config/install/uceap_logging.settings.yml
@@ -0,0 +1,2 @@
+sensitive_fields:
+ - pass
diff --git a/config/schema/uceap_logging.schema.yml b/config/schema/uceap_logging.schema.yml
new file mode 100644
index 0000000..5d8b974
--- /dev/null
+++ b/config/schema/uceap_logging.schema.yml
@@ -0,0 +1,10 @@
+uceap_logging.settings:
+ type: config_object
+ label: 'UCEAP Logging Settings'
+ mapping:
+ sensitive_fields:
+ type: sequence
+ label: 'Sensitive fields'
+ sequence:
+ type: string
+ label: 'Field name'
diff --git a/src/Form/LoggingSettingsForm.php b/src/Form/LoggingSettingsForm.php
new file mode 100644
index 0000000..f3de946
--- /dev/null
+++ b/src/Form/LoggingSettingsForm.php
@@ -0,0 +1,82 @@
+config('uceap_logging.settings');
+
+ $form['sensitive_fields'] = [
+ '#type' => 'textarea',
+ '#title' => $this->t('Sensitive Fields'),
+ '#description' => $this->t('Enter field machine names (one per line) that should have their values masked in entity change logs. When these fields are modified, they will appear in logs with masked values (e.g., ***MASKED***) instead of actual values.'),
+ '#default_value' => implode("\n", $config->get('sensitive_fields') ?? []),
+ '#rows' => 10,
+ ];
+
+ $form['help'] = [
+ '#type' => 'details',
+ '#title' => $this->t('Examples'),
+ '#open' => FALSE,
+ ];
+
+ $form['help']['examples'] = [
+ '#markup' => $this->t('Common sensitive fields include:
+
+ field_ssn - Social Security Numberspass - User passwordsfield_bank_account - Banking informationfield_credit_card - Payment informationfield_api_key - API keys or tokens
+ Note: The following fields are automatically excluded from logging: changed, revision_timestamp, revision_uid, revision_log. Additionally, computed and internal fields are never logged.
'),
+ ];
+
+ return parent::buildForm($form, $form_state);
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function submitForm(array &$form, FormStateInterface $form_state) {
+ // Convert textarea input to array.
+ $sensitive_fields_raw = $form_state->getValue('sensitive_fields');
+ $sensitive_fields = array_filter(
+ array_map('trim', explode("\n", $sensitive_fields_raw)),
+ function ($field) {
+ return !empty($field);
+ }
+ );
+
+ $this->config('uceap_logging.settings')
+ ->set('sensitive_fields', array_values($sensitive_fields))
+ ->save();
+
+ parent::submitForm($form, $form_state);
+ }
+
+}
diff --git a/uceap_logging.links.task.yml b/uceap_logging.links.task.yml
new file mode 100644
index 0000000..d14e9d6
--- /dev/null
+++ b/uceap_logging.links.task.yml
@@ -0,0 +1,13 @@
+# Create a default tab for the system logging page
+system.logging_settings_default:
+ title: 'Settings'
+ route_name: system.logging_settings
+ base_route: system.logging_settings
+ weight: 0
+
+# Add our custom tab
+uceap_logging.settings:
+ title: 'UCEAP Logging'
+ route_name: uceap_logging.settings
+ base_route: system.logging_settings
+ weight: 10
diff --git a/uceap_logging.module b/uceap_logging.module
index bbf5914..52cbbe6 100644
--- a/uceap_logging.module
+++ b/uceap_logging.module
@@ -115,12 +115,8 @@ function _uceap_logging_get_entity_field_changes(ContentEntityInterface $entity,
];
// Sensitive fields that should have values masked in logs.
- // TODO make this configurable.
- $sensitive_fields = [
- 'field_ssn',
- 'field_confirm_ssn',
- 'pass',
- ];
+ $config = \Drupal::config('uceap_logging.settings');
+ $sensitive_fields = $config->get('sensitive_fields') ?? [];
$changes = [];
$field_definitions = $entity->getFieldDefinitions();
diff --git a/uceap_logging.routing.yml b/uceap_logging.routing.yml
new file mode 100644
index 0000000..b361612
--- /dev/null
+++ b/uceap_logging.routing.yml
@@ -0,0 +1,7 @@
+uceap_logging.settings:
+ path: '/admin/config/development/logging/uceap'
+ defaults:
+ _form: '\Drupal\uceap_logging\Form\LoggingSettingsForm'
+ _title: 'Logging Settings'
+ requirements:
+ _permission: 'administer site configuration'