Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
Attribute Based Log Field Syntaxes are used to define the behavior for logging values that may contain one or more attribute name-value pairs, including LDAP DNs and filters.
The Attribute Based Log Field Syntax component inherits from the Log Field Syntax
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| default-behavior | |
| included-sensitive-attribute | |
| excluded-sensitive-attribute |
| Description | A description for this Log Field Syntax |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The default behavior that the server should exhibit when logging fields with this syntax. This may be overridden on a per-field basis. |
| Default Value | preserve |
| Allowed Values | preserve - Log the field with the intended value. The value will be preserved, although it may be sanitized for parsability or safety purposes (for example, to escape special characters in the value), and it may be truncated if the value is too long. omit - Completely omit the field from the log message. Neither the field name or its value will be included. redact-entire-value - Log the field name, but redact the entire value so that it is not possible to determine what the original value was. In many cases, the redacted value will preserve the syntax for the original value (for example, the redacted representation of an integer will be a placeholder integer value), but this may not be possible for all syntaxes (for example, Boolean values). redact-value-components - Log the field name, but redact components of the provided value to the extent possible. If values of this syntax may be comprised of multiple components, then some components may be individually redacted (for example, in an LDAP DN or search filter, attribute names may be preserved while the values are redacted, and it may even be possible to configure redaction for only values of a subset of attributes). If the syntax does not support redacting components within a value, then the entire value will be redacted. tokenize-entire-value - Log the field name, but generate a token for the entire value that protects the actual content of the original value while still making it possible to identify other places where the same value appears elsewhere in the log. In many cases, the tokenized value will preserve the syntax for the original value, but this may not be possible for all syntaxes. tokenize-value-components - Log the field name, but tokenize components of the provided value to the extent possible (for example, in an LDAP DN or search filter, each attribute value may be replaced with a token that represents that value, while attribute names may be preserved). If the syntax does not support tokenizing components within a value, then the entire value will be tokenized. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Attribute Based Log Field Syntax must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of default-behavior values will not take effect until the server is restarted or access loggers using this syntax have been disabled and re-enabled. |
| Description | The set of attribute types that will be considered sensitive. If any included sensitive attributes are defined, and if a logger is configured to redact or tokenize values for a given log field with this syntax, then only values of attributes declared as sensitive will have their values redacted or tokenized, and the values of other attributes (and other elements of the log field value, like attribute names) will be preserved. If any excluded sensitive attributes are defined, and if a logger is configured to redact or tokenize values for a given log field with this syntax, then the values of any attributes listed in the set of excluded sensitive attributes will be preserved, and the values of all other attributes will be redacted or tokenized. If neither included nor excluded sensitive attributes are defined, then all attributes will be considered sensitive by default. You cannot configure both included and excluded sensitive attributes for the same syntax. |
| Default Value | None |
| Allowed Values | The name or OID of an attribute type defined in the server schema. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | The Attribute Based Log Field Syntax must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of included-sensitive-attribute values will not take effect until the server is restarted or access loggers using this syntax have been disabled and re-enabled. |
| Description | The set of attribute types that will not be considered sensitive. If any included sensitive attributes are defined, and if a logger is configured to redact or tokenize values for a given log field with this syntax, then only values of attributes declared as sensitive will have their values redacted or tokenized, and the values of other attributes (and other elements of the log field value, like attribute names) will be preserved. If any excluded sensitive attributes are defined, and if a logger is configured to redact or tokenize values for a given log field with this syntax, then the values of any attributes listed in the set of excluded sensitive attributes will be preserved, and the values of all other attributes will be redacted or tokenized. If neither included nor excluded sensitive attributes are defined, then all attributes will be considered sensitive by default. You cannot configure both included and excluded sensitive attributes for the same syntax. |
| Default Value | None |
| Allowed Values | The name or OID of an attribute type defined in the server schema. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | The Attribute Based Log Field Syntax must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of excluded-sensitive-attribute values will not take effect until the server is restarted or access loggers using this syntax have been disabled and re-enabled. |
To list the configured Log Field Syntaxes:
dsconfig list-log-field-syntaxes
[--property {propertyName}] ...
To view the configuration for an existing Log Field Syntax:
dsconfig get-log-field-syntax-prop
--syntax-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Log Field Syntax:
dsconfig set-log-field-syntax-prop
--syntax-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...