Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
JSON Formatted Access Log Field Behaviors are used to define the to use when logging fields to a JSON-formatted access log.
The JSON Formatted Access Log Field Behavior component inherits from the Log Field Behavior
The following components have a direct aggregation relation to JSON Formatted Access Log Field Behaviors:
The properties supported by this managed object are as follows:
Description | A description for this Log Field Behavior |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The default behavior that the server should exhibit for fields for which no explicit behavior is defined. If no default behavior is defined, the server will fall back to using the default behavior configured for the syntax used for each log field. |
Default Value | None |
Allowed Values | preserve - Log the field with the intended value. The value will be preserved, although it may be sanitized for parsability or safety purposes (for example, to escape special characters in the value), and it may be truncated if the value is too long. omit - Completely omit the field from the log message. Neither the field name or its value will be included. redact-entire-value - Log the field name, but redact the entire value so that it is not possible to determine what the original value was. In many cases, the redacted value will preserve the syntax for the original value (for example, the redacted representation of an integer will be a placeholder integer value), but this may not be possible for all syntaxes (for example, Boolean values). redact-value-components - Log the field name, but redact components of the provided value to the extent possible. If values of this syntax may be comprised of multiple components, then some components may be individually redacted (for example, in an LDAP DN or search filter, attribute names may be preserved while the values are redacted, and it may even be possible to configure redaction for only values of a subset of attributes). If the syntax does not support redacting components within a value, then the entire value will be redacted. tokenize-entire-value - Log the field name, but generate a token for the entire value that protects the actual content of the original value while still making it possible to identify other places where the same value appears elsewhere in the log. In many cases, the tokenized value will preserve the syntax for the original value, but this may not be possible for all syntaxes. tokenize-value-components - Log the field name, but tokenize components of the provided value to the extent possible (for example, in an LDAP DN or search filter, each attribute value may be replaced with a token that represents that value, while attribute names may be preserved). If the syntax does not support tokenizing components within a value, then the entire value will be tokenized. |
Multi-Valued | No |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of default-behavior values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
Description | The log fields whose values should be logged with the intended value. The values for these fields will be preserved, although they may be sanitized for parsability or safety purposes (for example, to escape special characters in the value), and values that are too long may be truncated. |
Default Value | None |
Allowed Values | abandon-message-id - The message ID for an operation to be abandoned or canceled. add-attributes - The list of attributes included in an add request. add-entry-dn - The DN of an entry to be added. add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation. additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation. administrative-operation - The message from an administrative operation request control included in the operation request. assured-replication-requirements - A JSON object with the assured replication requirements for the operation. assured-replication-requirements-altered-by-request-control - Indicates whether the assured replication requirements were altered by an assured replication request control. assured-replication-requirements-local-assurance-level - The level of replication assurance desired from servers in the same location as this Directory Server. assured-replication-requirements-remote-assurance-level - The level of replication assurance desired from servers in different locations than this Directory Server. assured-replication-requirements-response-delayed-by-assurance - Indicates whether the operation response was delayed by assured replication processing. assured-replication-requirements-assurance-timeout-millis - The maximum length of time to delay the response while waiting for replication assurance processing. authorization-dn - The DN used as the alternate authorization identity for an operation. auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation. bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token. bind-authentication-dn - The DN of the user that was authenticated by a bind operation. bind-authentication-failure-reason - A JSON object with information about the reason for an authentication failure. bind-authentication-failure-reason-id - The numeric identifier for the authentication failure reason. bind-authentication-failure-reason-message - A message with additional information about an authentication failure. bind-authentication-failure-reason-name - The name for the authentication failure reason. bind-authentication-type - The name of the authentication type for a bind request. bind-authorization-dn - The DN of the authorization identity resulting from a bind operation. bind-dn - The bind DN included in a bind request. bind-protocol-version - The protocol version specified in a bind request. bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server. bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation. change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry. cipher - The name of the cipher algorithm that was negotiated for the client connection. client-connection-policy - The name of the client connection policy that has been assigned to the associated connection. collect-support-data-comment - A comment provided when invoking the collect support data tool. collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted. collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server. collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive. collect-support-data-log-duration - The duration of log messages to include in a collect support data archive. collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive. collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive. collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive. collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive. collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive. collect-support-data-security-level - The security level to use when including data in a collect support data archive. collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel. compare-attribute-name - The name of the attribute targeted by a compare operation. compare-entry-dn - The DN of the entry targeted by a compare operation. connect-from-address - The address of the client from which a connection has been established. connect-from-port - The remote client port from which a connection has been established. connect-to-address - The server address to which a client connection has been established. connect-to-port - The server port to which a connection has been established. connection-id - The numeric identifier that the server has assigned to a client connection. delete-entry-dn - The DN of an entry targeted by a delete operation. delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation. deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation. deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation. deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation. deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation. deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation. deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation. diagnostic-message - The diagnostic message for an operation, which is included in the response to the client. disconnect-message - A message with additional information about a connection closure. disconnect-reason - The general reason for a connection closure. entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation. entry-rebalancing-base-dn - The base DN for an entry rebalancing operation. entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing. entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation. entry-rebalancing-size-limit - The size limit for an entry rebalancing operation. entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation. entry-rebalancing-source-server - A JSON object with information about the source server for an entry rebalancing operation. entry-rebalancing-source-server-address - The address of the source server for an entry rebalancing operation. entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-source-server-port - The address of the port server for an entry rebalancing operation. entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation. entry-rebalancing-target-server - A JSON object with information about the target server for an entry rebalancing operation. entry-rebalancing-target-server-address - The address of the target server for an entry rebalancing operation. entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-target-server-port - The address of the port server for an entry rebalancing operation. export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation. export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation. export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria. export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter. export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password. export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output. export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords. export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords. export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation. export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output. export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported. export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation. export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation. export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation. export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation. extended-request-oid - The request OID for an extended operation. extended-request-type - The name for an extended request type. extended-response-oid - The response OID for an extended operation extended-response-type - The name for an extended response type. externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation. generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation. generate-password-password-generator - The name of the password generator to use for a generate password extended operation. generate-password-password-policy - The name of the password policy to use for a generate password extended operation. get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation. gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind. gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind. gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind. indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit. indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit. instance-name - The name of the server instance. inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind. inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind. inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind. inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control. inter-server-request-controls - An array of JSON objects with information about inter-server request controls provided with the operation. inter-server-request-controls-component-name - The component name from an inter-server request control. inter-server-request-controls-operation-purpose - The operation-purpose from an inter-server request control. inter-server-request-controls-properties - An array of JSON objects with information about properties included in an inter-server request control. inter-server-request-controls-properties-name - The name of an inter-server request control property. inter-server-request-controls-properties-value - The value of an inter-server request control property. intermediate-client-request-control - A JSON object with information about an intermediate client request control included in the operation request. intermediate-client-request-control-client-identity - The client identity from an inter-server request control. intermediate-client-request-control-client-name - The client name from an inter-server request control. intermediate-client-request-control-downstream-client-address - The downstream client address from an inter-server request control. intermediate-client-request-control-downstream-client-secure - Indicates whether communication with a downstream client is secure. intermediate-client-request-control-downstream-request - A downstream request from an inter-server request control. intermediate-client-request-control-request-id - The request ID from an inter-server request control. intermediate-client-request-control-session-id - The session ID from an inter-server request control. intermediate-client-response-control - A JSON object with information about an intermediate client response control included in the operation result. intermediate-client-response-control-response-id - The response ID from an inter-server response control. intermediate-client-response-control-server-name - The server name from an inter-server response control. intermediate-client-response-control-session-id - The session ID from an inter-server response control. intermediate-client-response-control-upstream-response - An upstream response from an inter-server response control. intermediate-client-response-control-upstream-server-address - The upstream server address from an inter-server response control. intermediate-client-response-control-upstream-server-secure - Indicates whether communication with an upstream server is secure. intermediate-response-name - The name of an intermediate response that was returned to the client. intermediate-response-oid - The OID of an intermediate response that was returned to the client. intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client. intermediate-responses-returned - The number of intermediate response messages returned to the client. ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client. local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation. log-type - The log type for the access log message. matched-dn - The matched DN for the associated operation. message-id - The numeric message ID for the associated operation. message-type - The message type for the access log message. missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have. moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation. moddn-entry-dn - The DN of an entry targeted by a modify DN operation. moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation. moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation. modify-attributes - The names of the attributes targeted by a modify operation. modify-entry-dn - The DN of an entry targeted by a modify operation. multi-update-connection-id - The connection ID for an associated multi-update extended operation. multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation. multi-update-operation-id - The operation ID for an associated multi-update extended operation. non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control. non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them. oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind. operation-id - A numeric identifier for the associated operation. operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation. operation-purpose - A JSON object with information about an operation purpose request control included in the operation request. operation-purpose-application-name - The application name from an operation purpose request control. operation-purpose-application-version - The application version from an operation purpose request control. operation-purpose-code-location - The code location from an operation purpose request control. operation-purpose-request-purpose - The request purpose from an operation purpose request control. operation-type - The operation type for the access log message. origin - The origin for the associated operation. origin-details - A JSON object with details about the operation origin. origin-details-name - The name of an origin details item. origin-details-value - The value of an origin details item. pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt. pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded. pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password. password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation. password-modify-target-entry - The target user DN for a password modify extended operation. password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation. password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation. password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed. password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored. password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored. password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change. password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password. password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. peer-certificate-chain - A JSON object with information about a peer certificate chain presented during TLS negotiation. peer-certificate-chain-certificate-bytes - The hexadecimal representation of the bytes that comprise a certificate in the peer certificate chain. peer-certificate-chain-certificate-string - A string representation of a certificate in the peer certificate chain. peer-certificate-chain-certificate-type - The type of a certificate in the peer certificate chain. peer-certificate-chain-issuer-subject-dn - The issuer subject DN for a certificate in the peer certificate chain. peer-certificate-chain-not-after - The notAfter timestamp for a certificate in the peer certificate chain. peer-certificate-chain-not-before - The notBefore timestamp for a certificate in the peer certificate chain. peer-certificate-chain-serial-number - The serial number for a certificate in the peer certificate chain. peer-certificate-chain-signature-algorithm - The signature algorithm for a certificate in the peer certificate chain. peer-certificate-chain-signature-bytes - The signature bytes for a certificate in the peer certificate chain. peer-certificate-chain-subject-dn - The subject DN for a certificate in the peer certificate chain. ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt. pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password. pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation. processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation. product-name - The name of the server product that logged the message. protocol - The name of the protocol the client is using to communicate with the server. referral-urls - A list of the referral URLs returned in an operation result or a search result reference. remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation. replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation. replace-certificate-certificate-source - The certificate source for a replace certificate extended operation. replace-certificate-key-store-error - The key store error for a replace certificate extended operation. replace-certificate-key-store-path - The key store path for a replace certificate extended operation. replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation. replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation. replace-certificate-tool-error - The tool error for a replace certificate extended operation. replication-change-id - The replication change ID for the operation. request-control-oids - The OIDs of the request controls included in the operation request. requester-dn - The DN of the user that requested the operation. requester-ip-address - The IP address of the client that requested the operation. response-control-oids - The OIDs of the response controls included in the operation request. result-code-name - The name of the result code for the associated operation. result-code-value - The numeric value of the result code for the associated operation. search-base-dn - The base DN for a search operation. search-deref-policy - The alias dereferencing policy for a search operation. search-entries-returned - The number of search result entries that were returned to the client. search-filter - The filter for a search operation. search-indexed - Indicates whether a search operation is considered indexed. search-requested-attributes - The set of requested attributes for a search operation. search-result-entry-dn - The DN of a search result entry that was returned to the client. search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client. search-scope-name - The name of the scope for a search operation. search-scope-value - The numeric value of the scope for a search operation. search-size-limit - The requested size limit for a search operation. search-time-limit-seconds - The requested time limit (in seconds) for a search operation. search-types-only - Indicates whether the search operation should return only attribute types or both types and values. security-negotiation-properties - Information about a set of additional properties associated with a security negotiation. security-negotiation-properties-name - The name of a security negotiation property. security-negotiation-properties-value - The value of a security negotiation property. server-assurance-results - An array of JSON objects with information about server assurance results for an operation. server-assurance-results-replica-id - The replica ID for a server assurance result. server-assurance-results-replication-server-id - The replication server ID for a server assurance result. server-assurance-results-result-code - The result code for a server assurance result. servers-accessed - A list of the servers accessed during the course of processing the operation. single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation. single-use-token-token-id - The token ID for a single-use token extended operation. single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation. single-use-token-user-dn - The target user DN for a single-use token extended operation. startup-id - A unique value generated when the server was started. streamed-entries-from-index - The name of an index from which search results were streamed. target-host - The address of a server to which the operation was formatted for processing. target-port - The port of a server to which the operation was formatted for processing. target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing. thread-id - A numeric identifier for the thread that processed the operation. timestamp - The timestamp for an access log message. totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation. totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation. triggered-by-connection-id - The connection ID for another operation that triggered the associated operation. triggered-by-operation-id - The operation ID for another operation that triggered the associated operation. uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation. uniqueness-request-control - A string representation of a uniqueness request control. used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set. used-privileges - A list of any privileges used in the course of processing the operation. using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool. verify-password-request-user-dn - The DN of the user targeted by a verify password extended request. work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread. yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of preserve-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
Description | The names of any custom fields whose values should be preserved. This should generally only be used for fields that are not available through the preserve-field property (for example, custom log fields defined in Server SDK extensions). |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of preserve-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
Description | The log fields that should be omitted entirely from log messages. Neither the field name nor value will be included. |
Default Value | None |
Allowed Values | abandon-message-id - The message ID for an operation to be abandoned or canceled. add-attributes - The list of attributes included in an add request. add-entry-dn - The DN of an entry to be added. add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation. additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation. administrative-operation - The message from an administrative operation request control included in the operation request. assured-replication-requirements - A JSON object with the assured replication requirements for the operation. assured-replication-requirements-altered-by-request-control - Indicates whether the assured replication requirements were altered by an assured replication request control. assured-replication-requirements-local-assurance-level - The level of replication assurance desired from servers in the same location as this Directory Server. assured-replication-requirements-remote-assurance-level - The level of replication assurance desired from servers in different locations than this Directory Server. assured-replication-requirements-response-delayed-by-assurance - Indicates whether the operation response was delayed by assured replication processing. assured-replication-requirements-assurance-timeout-millis - The maximum length of time to delay the response while waiting for replication assurance processing. authorization-dn - The DN used as the alternate authorization identity for an operation. auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation. bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token. bind-authentication-dn - The DN of the user that was authenticated by a bind operation. bind-authentication-failure-reason - A JSON object with information about the reason for an authentication failure. bind-authentication-failure-reason-id - The numeric identifier for the authentication failure reason. bind-authentication-failure-reason-message - A message with additional information about an authentication failure. bind-authentication-failure-reason-name - The name for the authentication failure reason. bind-authentication-type - The name of the authentication type for a bind request. bind-authorization-dn - The DN of the authorization identity resulting from a bind operation. bind-dn - The bind DN included in a bind request. bind-protocol-version - The protocol version specified in a bind request. bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server. bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation. change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry. cipher - The name of the cipher algorithm that was negotiated for the client connection. client-connection-policy - The name of the client connection policy that has been assigned to the associated connection. collect-support-data-comment - A comment provided when invoking the collect support data tool. collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted. collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server. collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive. collect-support-data-log-duration - The duration of log messages to include in a collect support data archive. collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive. collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive. collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive. collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive. collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive. collect-support-data-security-level - The security level to use when including data in a collect support data archive. collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel. compare-attribute-name - The name of the attribute targeted by a compare operation. compare-entry-dn - The DN of the entry targeted by a compare operation. connect-from-address - The address of the client from which a connection has been established. connect-from-port - The remote client port from which a connection has been established. connect-to-address - The server address to which a client connection has been established. connect-to-port - The server port to which a connection has been established. connection-id - The numeric identifier that the server has assigned to a client connection. delete-entry-dn - The DN of an entry targeted by a delete operation. delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation. deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation. deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation. deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation. deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation. deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation. deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation. diagnostic-message - The diagnostic message for an operation, which is included in the response to the client. disconnect-message - A message with additional information about a connection closure. disconnect-reason - The general reason for a connection closure. entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation. entry-rebalancing-base-dn - The base DN for an entry rebalancing operation. entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing. entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation. entry-rebalancing-size-limit - The size limit for an entry rebalancing operation. entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation. entry-rebalancing-source-server - A JSON object with information about the source server for an entry rebalancing operation. entry-rebalancing-source-server-address - The address of the source server for an entry rebalancing operation. entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-source-server-port - The address of the port server for an entry rebalancing operation. entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation. entry-rebalancing-target-server - A JSON object with information about the target server for an entry rebalancing operation. entry-rebalancing-target-server-address - The address of the target server for an entry rebalancing operation. entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-target-server-port - The address of the port server for an entry rebalancing operation. export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation. export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation. export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria. export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter. export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password. export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output. export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords. export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords. export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation. export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output. export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported. export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation. export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation. export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation. export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation. extended-request-oid - The request OID for an extended operation. extended-request-type - The name for an extended request type. extended-response-oid - The response OID for an extended operation extended-response-type - The name for an extended response type. externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation. generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation. generate-password-password-generator - The name of the password generator to use for a generate password extended operation. generate-password-password-policy - The name of the password policy to use for a generate password extended operation. get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation. gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind. gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind. gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind. indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit. indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit. instance-name - The name of the server instance. inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind. inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind. inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind. inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control. inter-server-request-controls - An array of JSON objects with information about inter-server request controls provided with the operation. inter-server-request-controls-component-name - The component name from an inter-server request control. inter-server-request-controls-operation-purpose - The operation-purpose from an inter-server request control. inter-server-request-controls-properties - An array of JSON objects with information about properties included in an inter-server request control. inter-server-request-controls-properties-name - The name of an inter-server request control property. inter-server-request-controls-properties-value - The value of an inter-server request control property. intermediate-client-request-control - A JSON object with information about an intermediate client request control included in the operation request. intermediate-client-request-control-client-identity - The client identity from an inter-server request control. intermediate-client-request-control-client-name - The client name from an inter-server request control. intermediate-client-request-control-downstream-client-address - The downstream client address from an inter-server request control. intermediate-client-request-control-downstream-client-secure - Indicates whether communication with a downstream client is secure. intermediate-client-request-control-downstream-request - A downstream request from an inter-server request control. intermediate-client-request-control-request-id - The request ID from an inter-server request control. intermediate-client-request-control-session-id - The session ID from an inter-server request control. intermediate-client-response-control - A JSON object with information about an intermediate client response control included in the operation result. intermediate-client-response-control-response-id - The response ID from an inter-server response control. intermediate-client-response-control-server-name - The server name from an inter-server response control. intermediate-client-response-control-session-id - The session ID from an inter-server response control. intermediate-client-response-control-upstream-response - An upstream response from an inter-server response control. intermediate-client-response-control-upstream-server-address - The upstream server address from an inter-server response control. intermediate-client-response-control-upstream-server-secure - Indicates whether communication with an upstream server is secure. intermediate-response-name - The name of an intermediate response that was returned to the client. intermediate-response-oid - The OID of an intermediate response that was returned to the client. intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client. intermediate-responses-returned - The number of intermediate response messages returned to the client. ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client. local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation. log-type - The log type for the access log message. matched-dn - The matched DN for the associated operation. message-id - The numeric message ID for the associated operation. message-type - The message type for the access log message. missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have. moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation. moddn-entry-dn - The DN of an entry targeted by a modify DN operation. moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation. moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation. modify-attributes - The names of the attributes targeted by a modify operation. modify-entry-dn - The DN of an entry targeted by a modify operation. multi-update-connection-id - The connection ID for an associated multi-update extended operation. multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation. multi-update-operation-id - The operation ID for an associated multi-update extended operation. non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control. non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them. oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind. operation-id - A numeric identifier for the associated operation. operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation. operation-purpose - A JSON object with information about an operation purpose request control included in the operation request. operation-purpose-application-name - The application name from an operation purpose request control. operation-purpose-application-version - The application version from an operation purpose request control. operation-purpose-code-location - The code location from an operation purpose request control. operation-purpose-request-purpose - The request purpose from an operation purpose request control. operation-type - The operation type for the access log message. origin - The origin for the associated operation. origin-details - A JSON object with details about the operation origin. origin-details-name - The name of an origin details item. origin-details-value - The value of an origin details item. pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt. pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded. pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password. password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation. password-modify-target-entry - The target user DN for a password modify extended operation. password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation. password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation. password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed. password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored. password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored. password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change. password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password. password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. peer-certificate-chain - A JSON object with information about a peer certificate chain presented during TLS negotiation. peer-certificate-chain-certificate-bytes - The hexadecimal representation of the bytes that comprise a certificate in the peer certificate chain. peer-certificate-chain-certificate-string - A string representation of a certificate in the peer certificate chain. peer-certificate-chain-certificate-type - The type of a certificate in the peer certificate chain. peer-certificate-chain-issuer-subject-dn - The issuer subject DN for a certificate in the peer certificate chain. peer-certificate-chain-not-after - The notAfter timestamp for a certificate in the peer certificate chain. peer-certificate-chain-not-before - The notBefore timestamp for a certificate in the peer certificate chain. peer-certificate-chain-serial-number - The serial number for a certificate in the peer certificate chain. peer-certificate-chain-signature-algorithm - The signature algorithm for a certificate in the peer certificate chain. peer-certificate-chain-signature-bytes - The signature bytes for a certificate in the peer certificate chain. peer-certificate-chain-subject-dn - The subject DN for a certificate in the peer certificate chain. ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt. pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password. pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation. processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation. product-name - The name of the server product that logged the message. protocol - The name of the protocol the client is using to communicate with the server. referral-urls - A list of the referral URLs returned in an operation result or a search result reference. remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation. replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation. replace-certificate-certificate-source - The certificate source for a replace certificate extended operation. replace-certificate-key-store-error - The key store error for a replace certificate extended operation. replace-certificate-key-store-path - The key store path for a replace certificate extended operation. replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation. replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation. replace-certificate-tool-error - The tool error for a replace certificate extended operation. replication-change-id - The replication change ID for the operation. request-control-oids - The OIDs of the request controls included in the operation request. requester-dn - The DN of the user that requested the operation. requester-ip-address - The IP address of the client that requested the operation. response-control-oids - The OIDs of the response controls included in the operation request. result-code-name - The name of the result code for the associated operation. result-code-value - The numeric value of the result code for the associated operation. search-base-dn - The base DN for a search operation. search-deref-policy - The alias dereferencing policy for a search operation. search-entries-returned - The number of search result entries that were returned to the client. search-filter - The filter for a search operation. search-indexed - Indicates whether a search operation is considered indexed. search-requested-attributes - The set of requested attributes for a search operation. search-result-entry-dn - The DN of a search result entry that was returned to the client. search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client. search-scope-name - The name of the scope for a search operation. search-scope-value - The numeric value of the scope for a search operation. search-size-limit - The requested size limit for a search operation. search-time-limit-seconds - The requested time limit (in seconds) for a search operation. search-types-only - Indicates whether the search operation should return only attribute types or both types and values. security-negotiation-properties - Information about a set of additional properties associated with a security negotiation. security-negotiation-properties-name - The name of a security negotiation property. security-negotiation-properties-value - The value of a security negotiation property. server-assurance-results - An array of JSON objects with information about server assurance results for an operation. server-assurance-results-replica-id - The replica ID for a server assurance result. server-assurance-results-replication-server-id - The replication server ID for a server assurance result. server-assurance-results-result-code - The result code for a server assurance result. servers-accessed - A list of the servers accessed during the course of processing the operation. single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation. single-use-token-token-id - The token ID for a single-use token extended operation. single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation. single-use-token-user-dn - The target user DN for a single-use token extended operation. startup-id - A unique value generated when the server was started. streamed-entries-from-index - The name of an index from which search results were streamed. target-host - The address of a server to which the operation was formatted for processing. target-port - The port of a server to which the operation was formatted for processing. target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing. thread-id - A numeric identifier for the thread that processed the operation. timestamp - The timestamp for an access log message. totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation. totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation. triggered-by-connection-id - The connection ID for another operation that triggered the associated operation. triggered-by-operation-id - The operation ID for another operation that triggered the associated operation. uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation. uniqueness-request-control - A string representation of a uniqueness request control. used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set. used-privileges - A list of any privileges used in the course of processing the operation. using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool. verify-password-request-user-dn - The DN of the user targeted by a verify password extended request. work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread. yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of omit-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
Description | The names of any custom fields that should be omitted from log messages. This should generally only be used for fields that are not available through the omit-field property (for example, custom log fields defined in Server SDK extensions). |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of omit-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
Description | The log fields whose values should be completely redacted in log messages. The field name will be included, but with a fixed value that does not reflect the actual value for the field. If possible, the redacted value will conform to the syntax used for the associated log field. The redacted values for each supported syntax include:
|
Default Value | None |
Allowed Values | abandon-message-id - The message ID for an operation to be abandoned or canceled. add-attributes - The list of attributes included in an add request. add-entry-dn - The DN of an entry to be added. add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation. additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation. administrative-operation - The message from an administrative operation request control included in the operation request. assured-replication-requirements - A JSON object with the assured replication requirements for the operation. assured-replication-requirements-altered-by-request-control - Indicates whether the assured replication requirements were altered by an assured replication request control. assured-replication-requirements-local-assurance-level - The level of replication assurance desired from servers in the same location as this Directory Server. assured-replication-requirements-remote-assurance-level - The level of replication assurance desired from servers in different locations than this Directory Server. assured-replication-requirements-response-delayed-by-assurance - Indicates whether the operation response was delayed by assured replication processing. assured-replication-requirements-assurance-timeout-millis - The maximum length of time to delay the response while waiting for replication assurance processing. authorization-dn - The DN used as the alternate authorization identity for an operation. auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation. bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token. bind-authentication-dn - The DN of the user that was authenticated by a bind operation. bind-authentication-failure-reason - A JSON object with information about the reason for an authentication failure. bind-authentication-failure-reason-id - The numeric identifier for the authentication failure reason. bind-authentication-failure-reason-message - A message with additional information about an authentication failure. bind-authentication-failure-reason-name - The name for the authentication failure reason. bind-authentication-type - The name of the authentication type for a bind request. bind-authorization-dn - The DN of the authorization identity resulting from a bind operation. bind-dn - The bind DN included in a bind request. bind-protocol-version - The protocol version specified in a bind request. bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server. bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation. change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry. cipher - The name of the cipher algorithm that was negotiated for the client connection. client-connection-policy - The name of the client connection policy that has been assigned to the associated connection. collect-support-data-comment - A comment provided when invoking the collect support data tool. collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted. collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server. collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive. collect-support-data-log-duration - The duration of log messages to include in a collect support data archive. collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive. collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive. collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive. collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive. collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive. collect-support-data-security-level - The security level to use when including data in a collect support data archive. collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel. compare-attribute-name - The name of the attribute targeted by a compare operation. compare-entry-dn - The DN of the entry targeted by a compare operation. connect-from-address - The address of the client from which a connection has been established. connect-from-port - The remote client port from which a connection has been established. connect-to-address - The server address to which a client connection has been established. connect-to-port - The server port to which a connection has been established. connection-id - The numeric identifier that the server has assigned to a client connection. delete-entry-dn - The DN of an entry targeted by a delete operation. delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation. deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation. deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation. deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation. deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation. deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation. deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation. diagnostic-message - The diagnostic message for an operation, which is included in the response to the client. disconnect-message - A message with additional information about a connection closure. disconnect-reason - The general reason for a connection closure. entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation. entry-rebalancing-base-dn - The base DN for an entry rebalancing operation. entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing. entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation. entry-rebalancing-size-limit - The size limit for an entry rebalancing operation. entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation. entry-rebalancing-source-server - A JSON object with information about the source server for an entry rebalancing operation. entry-rebalancing-source-server-address - The address of the source server for an entry rebalancing operation. entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-source-server-port - The address of the port server for an entry rebalancing operation. entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation. entry-rebalancing-target-server - A JSON object with information about the target server for an entry rebalancing operation. entry-rebalancing-target-server-address - The address of the target server for an entry rebalancing operation. entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-target-server-port - The address of the port server for an entry rebalancing operation. export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation. export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation. export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria. export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter. export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password. export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output. export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords. export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords. export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation. export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output. export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported. export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation. export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation. export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation. export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation. extended-request-oid - The request OID for an extended operation. extended-request-type - The name for an extended request type. extended-response-oid - The response OID for an extended operation extended-response-type - The name for an extended response type. externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation. generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation. generate-password-password-generator - The name of the password generator to use for a generate password extended operation. generate-password-password-policy - The name of the password policy to use for a generate password extended operation. get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation. gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind. gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind. gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind. indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit. indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit. instance-name - The name of the server instance. inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind. inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind. inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind. inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control. inter-server-request-controls - An array of JSON objects with information about inter-server request controls provided with the operation. inter-server-request-controls-component-name - The component name from an inter-server request control. inter-server-request-controls-operation-purpose - The operation-purpose from an inter-server request control. inter-server-request-controls-properties - An array of JSON objects with information about properties included in an inter-server request control. inter-server-request-controls-properties-name - The name of an inter-server request control property. inter-server-request-controls-properties-value - The value of an inter-server request control property. intermediate-client-request-control - A JSON object with information about an intermediate client request control included in the operation request. intermediate-client-request-control-client-identity - The client identity from an inter-server request control. intermediate-client-request-control-client-name - The client name from an inter-server request control. intermediate-client-request-control-downstream-client-address - The downstream client address from an inter-server request control. intermediate-client-request-control-downstream-client-secure - Indicates whether communication with a downstream client is secure. intermediate-client-request-control-downstream-request - A downstream request from an inter-server request control. intermediate-client-request-control-request-id - The request ID from an inter-server request control. intermediate-client-request-control-session-id - The session ID from an inter-server request control. intermediate-client-response-control - A JSON object with information about an intermediate client response control included in the operation result. intermediate-client-response-control-response-id - The response ID from an inter-server response control. intermediate-client-response-control-server-name - The server name from an inter-server response control. intermediate-client-response-control-session-id - The session ID from an inter-server response control. intermediate-client-response-control-upstream-response - An upstream response from an inter-server response control. intermediate-client-response-control-upstream-server-address - The upstream server address from an inter-server response control. intermediate-client-response-control-upstream-server-secure - Indicates whether communication with an upstream server is secure. intermediate-response-name - The name of an intermediate response that was returned to the client. intermediate-response-oid - The OID of an intermediate response that was returned to the client. intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client. intermediate-responses-returned - The number of intermediate response messages returned to the client. ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client. local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation. log-type - The log type for the access log message. matched-dn - The matched DN for the associated operation. message-id - The numeric message ID for the associated operation. message-type - The message type for the access log message. missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have. moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation. moddn-entry-dn - The DN of an entry targeted by a modify DN operation. moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation. moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation. modify-attributes - The names of the attributes targeted by a modify operation. modify-entry-dn - The DN of an entry targeted by a modify operation. multi-update-connection-id - The connection ID for an associated multi-update extended operation. multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation. multi-update-operation-id - The operation ID for an associated multi-update extended operation. non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control. non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them. oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind. operation-id - A numeric identifier for the associated operation. operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation. operation-purpose - A JSON object with information about an operation purpose request control included in the operation request. operation-purpose-application-name - The application name from an operation purpose request control. operation-purpose-application-version - The application version from an operation purpose request control. operation-purpose-code-location - The code location from an operation purpose request control. operation-purpose-request-purpose - The request purpose from an operation purpose request control. operation-type - The operation type for the access log message. origin - The origin for the associated operation. origin-details - A JSON object with details about the operation origin. origin-details-name - The name of an origin details item. origin-details-value - The value of an origin details item. pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt. pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded. pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password. password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation. password-modify-target-entry - The target user DN for a password modify extended operation. password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation. password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation. password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed. password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored. password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored. password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change. password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password. password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. peer-certificate-chain - A JSON object with information about a peer certificate chain presented during TLS negotiation. peer-certificate-chain-certificate-bytes - The hexadecimal representation of the bytes that comprise a certificate in the peer certificate chain. peer-certificate-chain-certificate-string - A string representation of a certificate in the peer certificate chain. peer-certificate-chain-certificate-type - The type of a certificate in the peer certificate chain. peer-certificate-chain-issuer-subject-dn - The issuer subject DN for a certificate in the peer certificate chain. peer-certificate-chain-not-after - The notAfter timestamp for a certificate in the peer certificate chain. peer-certificate-chain-not-before - The notBefore timestamp for a certificate in the peer certificate chain. peer-certificate-chain-serial-number - The serial number for a certificate in the peer certificate chain. peer-certificate-chain-signature-algorithm - The signature algorithm for a certificate in the peer certificate chain. peer-certificate-chain-signature-bytes - The signature bytes for a certificate in the peer certificate chain. peer-certificate-chain-subject-dn - The subject DN for a certificate in the peer certificate chain. ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt. pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password. pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation. processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation. product-name - The name of the server product that logged the message. protocol - The name of the protocol the client is using to communicate with the server. referral-urls - A list of the referral URLs returned in an operation result or a search result reference. remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation. replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation. replace-certificate-certificate-source - The certificate source for a replace certificate extended operation. replace-certificate-key-store-error - The key store error for a replace certificate extended operation. replace-certificate-key-store-path - The key store path for a replace certificate extended operation. replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation. replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation. replace-certificate-tool-error - The tool error for a replace certificate extended operation. replication-change-id - The replication change ID for the operation. request-control-oids - The OIDs of the request controls included in the operation request. requester-dn - The DN of the user that requested the operation. requester-ip-address - The IP address of the client that requested the operation. response-control-oids - The OIDs of the response controls included in the operation request. result-code-name - The name of the result code for the associated operation. result-code-value - The numeric value of the result code for the associated operation. search-base-dn - The base DN for a search operation. search-deref-policy - The alias dereferencing policy for a search operation. search-entries-returned - The number of search result entries that were returned to the client. search-filter - The filter for a search operation. search-indexed - Indicates whether a search operation is considered indexed. search-requested-attributes - The set of requested attributes for a search operation. search-result-entry-dn - The DN of a search result entry that was returned to the client. search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client. search-scope-name - The name of the scope for a search operation. search-scope-value - The numeric value of the scope for a search operation. search-size-limit - The requested size limit for a search operation. search-time-limit-seconds - The requested time limit (in seconds) for a search operation. search-types-only - Indicates whether the search operation should return only attribute types or both types and values. security-negotiation-properties - Information about a set of additional properties associated with a security negotiation. security-negotiation-properties-name - The name of a security negotiation property. security-negotiation-properties-value - The value of a security negotiation property. server-assurance-results - An array of JSON objects with information about server assurance results for an operation. server-assurance-results-replica-id - The replica ID for a server assurance result. server-assurance-results-replication-server-id - The replication server ID for a server assurance result. server-assurance-results-result-code - The result code for a server assurance result. servers-accessed - A list of the servers accessed during the course of processing the operation. single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation. single-use-token-token-id - The token ID for a single-use token extended operation. single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation. single-use-token-user-dn - The target user DN for a single-use token extended operation. startup-id - A unique value generated when the server was started. streamed-entries-from-index - The name of an index from which search results were streamed. target-host - The address of a server to which the operation was formatted for processing. target-port - The port of a server to which the operation was formatted for processing. target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing. thread-id - A numeric identifier for the thread that processed the operation. timestamp - The timestamp for an access log message. totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation. totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation. triggered-by-connection-id - The connection ID for another operation that triggered the associated operation. triggered-by-operation-id - The operation ID for another operation that triggered the associated operation. uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation. uniqueness-request-control - A string representation of a uniqueness request control. used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set. used-privileges - A list of any privileges used in the course of processing the operation. using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool. verify-password-request-user-dn - The DN of the user targeted by a verify password extended request. work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread. yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of redact-entire-value-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
redact-entire-value-field-name
Description | The names of any custom fields whose values should be completely redacted. This should generally only be used for fields that are not available through the redact-entire-value-field property (for example, custom log fields defined in Server SDK extensions). |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of redact-entire-value-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
Description | The log fields whose values will include redacted components. Redacting value components is really only possible for fields with the string list, DN, filter, and JSON object syntaxes. For fields with other syntaxes, attempting to redact value components will cause the entire value to be redacted. For fields with the string list syntax, each item in the list will be replaced with the string "{REDACTED}". For example, a list of three items will appear as "{REDACTED},{REDACTED},{REDACTED}". For fields with the DN syntax, attribute values may be redacted, but the rest of the DN may remain intact (for example, "uid={REDACTED},ou={REDACTED},dc={REDACTED},dc={REDACTED}"). The same is true for fields with a search filter syntax (for example, "(&(uid={REDACTED})(objectClass={REDACTED}))". In both cases, the syntax may optionally be configured with the names of the attributes to include in or exclude from the redaction so that only certain attributes (or all but certain attributes) will have their values redacted and all other attribute values will be preserved. For fields with a JSON object syntax, JSON field values may be redacted, but the names of the fields will not be (for example, "{ 'firstName':'{REDACTED}', 'lastName':'{REDACTED}' }"). The syntax may optionally be with the names of the fields to include in or exclude from the redaction so that only certain fields (or all but certain fields) will have their values redacted and all other field values will be preserved. Note that if a JSON field is to be redacted, the value of that field will always be replaced with the string "{REDACTED}", regardless of the data type that the JSON value originally had. |
Default Value | None |
Allowed Values | abandon-message-id - The message ID for an operation to be abandoned or canceled. add-attributes - The list of attributes included in an add request. add-entry-dn - The DN of an entry to be added. add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation. additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation. administrative-operation - The message from an administrative operation request control included in the operation request. assured-replication-requirements - A JSON object with the assured replication requirements for the operation. assured-replication-requirements-altered-by-request-control - Indicates whether the assured replication requirements were altered by an assured replication request control. assured-replication-requirements-local-assurance-level - The level of replication assurance desired from servers in the same location as this Directory Server. assured-replication-requirements-remote-assurance-level - The level of replication assurance desired from servers in different locations than this Directory Server. assured-replication-requirements-response-delayed-by-assurance - Indicates whether the operation response was delayed by assured replication processing. assured-replication-requirements-assurance-timeout-millis - The maximum length of time to delay the response while waiting for replication assurance processing. authorization-dn - The DN used as the alternate authorization identity for an operation. auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation. bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token. bind-authentication-dn - The DN of the user that was authenticated by a bind operation. bind-authentication-failure-reason - A JSON object with information about the reason for an authentication failure. bind-authentication-failure-reason-id - The numeric identifier for the authentication failure reason. bind-authentication-failure-reason-message - A message with additional information about an authentication failure. bind-authentication-failure-reason-name - The name for the authentication failure reason. bind-authentication-type - The name of the authentication type for a bind request. bind-authorization-dn - The DN of the authorization identity resulting from a bind operation. bind-dn - The bind DN included in a bind request. bind-protocol-version - The protocol version specified in a bind request. bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server. bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation. change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry. cipher - The name of the cipher algorithm that was negotiated for the client connection. client-connection-policy - The name of the client connection policy that has been assigned to the associated connection. collect-support-data-comment - A comment provided when invoking the collect support data tool. collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted. collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server. collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive. collect-support-data-log-duration - The duration of log messages to include in a collect support data archive. collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive. collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive. collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive. collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive. collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive. collect-support-data-security-level - The security level to use when including data in a collect support data archive. collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel. compare-attribute-name - The name of the attribute targeted by a compare operation. compare-entry-dn - The DN of the entry targeted by a compare operation. connect-from-address - The address of the client from which a connection has been established. connect-from-port - The remote client port from which a connection has been established. connect-to-address - The server address to which a client connection has been established. connect-to-port - The server port to which a connection has been established. connection-id - The numeric identifier that the server has assigned to a client connection. delete-entry-dn - The DN of an entry targeted by a delete operation. delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation. deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation. deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation. deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation. deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation. deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation. deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation. diagnostic-message - The diagnostic message for an operation, which is included in the response to the client. disconnect-message - A message with additional information about a connection closure. disconnect-reason - The general reason for a connection closure. entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation. entry-rebalancing-base-dn - The base DN for an entry rebalancing operation. entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing. entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation. entry-rebalancing-size-limit - The size limit for an entry rebalancing operation. entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation. entry-rebalancing-source-server - A JSON object with information about the source server for an entry rebalancing operation. entry-rebalancing-source-server-address - The address of the source server for an entry rebalancing operation. entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-source-server-port - The address of the port server for an entry rebalancing operation. entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation. entry-rebalancing-target-server - A JSON object with information about the target server for an entry rebalancing operation. entry-rebalancing-target-server-address - The address of the target server for an entry rebalancing operation. entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-target-server-port - The address of the port server for an entry rebalancing operation. export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation. export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation. export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria. export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter. export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password. export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output. export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords. export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords. export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation. export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output. export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported. export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation. export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation. export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation. export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation. extended-request-oid - The request OID for an extended operation. extended-request-type - The name for an extended request type. extended-response-oid - The response OID for an extended operation extended-response-type - The name for an extended response type. externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation. generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation. generate-password-password-generator - The name of the password generator to use for a generate password extended operation. generate-password-password-policy - The name of the password policy to use for a generate password extended operation. get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation. gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind. gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind. gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind. indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit. indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit. instance-name - The name of the server instance. inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind. inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind. inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind. inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control. inter-server-request-controls - An array of JSON objects with information about inter-server request controls provided with the operation. inter-server-request-controls-component-name - The component name from an inter-server request control. inter-server-request-controls-operation-purpose - The operation-purpose from an inter-server request control. inter-server-request-controls-properties - An array of JSON objects with information about properties included in an inter-server request control. inter-server-request-controls-properties-name - The name of an inter-server request control property. inter-server-request-controls-properties-value - The value of an inter-server request control property. intermediate-client-request-control - A JSON object with information about an intermediate client request control included in the operation request. intermediate-client-request-control-client-identity - The client identity from an inter-server request control. intermediate-client-request-control-client-name - The client name from an inter-server request control. intermediate-client-request-control-downstream-client-address - The downstream client address from an inter-server request control. intermediate-client-request-control-downstream-client-secure - Indicates whether communication with a downstream client is secure. intermediate-client-request-control-downstream-request - A downstream request from an inter-server request control. intermediate-client-request-control-request-id - The request ID from an inter-server request control. intermediate-client-request-control-session-id - The session ID from an inter-server request control. intermediate-client-response-control - A JSON object with information about an intermediate client response control included in the operation result. intermediate-client-response-control-response-id - The response ID from an inter-server response control. intermediate-client-response-control-server-name - The server name from an inter-server response control. intermediate-client-response-control-session-id - The session ID from an inter-server response control. intermediate-client-response-control-upstream-response - An upstream response from an inter-server response control. intermediate-client-response-control-upstream-server-address - The upstream server address from an inter-server response control. intermediate-client-response-control-upstream-server-secure - Indicates whether communication with an upstream server is secure. intermediate-response-name - The name of an intermediate response that was returned to the client. intermediate-response-oid - The OID of an intermediate response that was returned to the client. intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client. intermediate-responses-returned - The number of intermediate response messages returned to the client. ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client. local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation. log-type - The log type for the access log message. matched-dn - The matched DN for the associated operation. message-id - The numeric message ID for the associated operation. message-type - The message type for the access log message. missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have. moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation. moddn-entry-dn - The DN of an entry targeted by a modify DN operation. moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation. moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation. modify-attributes - The names of the attributes targeted by a modify operation. modify-entry-dn - The DN of an entry targeted by a modify operation. multi-update-connection-id - The connection ID for an associated multi-update extended operation. multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation. multi-update-operation-id - The operation ID for an associated multi-update extended operation. non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control. non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them. oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind. operation-id - A numeric identifier for the associated operation. operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation. operation-purpose - A JSON object with information about an operation purpose request control included in the operation request. operation-purpose-application-name - The application name from an operation purpose request control. operation-purpose-application-version - The application version from an operation purpose request control. operation-purpose-code-location - The code location from an operation purpose request control. operation-purpose-request-purpose - The request purpose from an operation purpose request control. operation-type - The operation type for the access log message. origin - The origin for the associated operation. origin-details - A JSON object with details about the operation origin. origin-details-name - The name of an origin details item. origin-details-value - The value of an origin details item. pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt. pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded. pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password. password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation. password-modify-target-entry - The target user DN for a password modify extended operation. password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation. password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation. password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed. password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored. password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored. password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change. password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password. password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. peer-certificate-chain - A JSON object with information about a peer certificate chain presented during TLS negotiation. peer-certificate-chain-certificate-bytes - The hexadecimal representation of the bytes that comprise a certificate in the peer certificate chain. peer-certificate-chain-certificate-string - A string representation of a certificate in the peer certificate chain. peer-certificate-chain-certificate-type - The type of a certificate in the peer certificate chain. peer-certificate-chain-issuer-subject-dn - The issuer subject DN for a certificate in the peer certificate chain. peer-certificate-chain-not-after - The notAfter timestamp for a certificate in the peer certificate chain. peer-certificate-chain-not-before - The notBefore timestamp for a certificate in the peer certificate chain. peer-certificate-chain-serial-number - The serial number for a certificate in the peer certificate chain. peer-certificate-chain-signature-algorithm - The signature algorithm for a certificate in the peer certificate chain. peer-certificate-chain-signature-bytes - The signature bytes for a certificate in the peer certificate chain. peer-certificate-chain-subject-dn - The subject DN for a certificate in the peer certificate chain. ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt. pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password. pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation. processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation. product-name - The name of the server product that logged the message. protocol - The name of the protocol the client is using to communicate with the server. referral-urls - A list of the referral URLs returned in an operation result or a search result reference. remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation. replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation. replace-certificate-certificate-source - The certificate source for a replace certificate extended operation. replace-certificate-key-store-error - The key store error for a replace certificate extended operation. replace-certificate-key-store-path - The key store path for a replace certificate extended operation. replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation. replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation. replace-certificate-tool-error - The tool error for a replace certificate extended operation. replication-change-id - The replication change ID for the operation. request-control-oids - The OIDs of the request controls included in the operation request. requester-dn - The DN of the user that requested the operation. requester-ip-address - The IP address of the client that requested the operation. response-control-oids - The OIDs of the response controls included in the operation request. result-code-name - The name of the result code for the associated operation. result-code-value - The numeric value of the result code for the associated operation. search-base-dn - The base DN for a search operation. search-deref-policy - The alias dereferencing policy for a search operation. search-entries-returned - The number of search result entries that were returned to the client. search-filter - The filter for a search operation. search-indexed - Indicates whether a search operation is considered indexed. search-requested-attributes - The set of requested attributes for a search operation. search-result-entry-dn - The DN of a search result entry that was returned to the client. search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client. search-scope-name - The name of the scope for a search operation. search-scope-value - The numeric value of the scope for a search operation. search-size-limit - The requested size limit for a search operation. search-time-limit-seconds - The requested time limit (in seconds) for a search operation. search-types-only - Indicates whether the search operation should return only attribute types or both types and values. security-negotiation-properties - Information about a set of additional properties associated with a security negotiation. security-negotiation-properties-name - The name of a security negotiation property. security-negotiation-properties-value - The value of a security negotiation property. server-assurance-results - An array of JSON objects with information about server assurance results for an operation. server-assurance-results-replica-id - The replica ID for a server assurance result. server-assurance-results-replication-server-id - The replication server ID for a server assurance result. server-assurance-results-result-code - The result code for a server assurance result. servers-accessed - A list of the servers accessed during the course of processing the operation. single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation. single-use-token-token-id - The token ID for a single-use token extended operation. single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation. single-use-token-user-dn - The target user DN for a single-use token extended operation. startup-id - A unique value generated when the server was started. streamed-entries-from-index - The name of an index from which search results were streamed. target-host - The address of a server to which the operation was formatted for processing. target-port - The port of a server to which the operation was formatted for processing. target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing. thread-id - A numeric identifier for the thread that processed the operation. timestamp - The timestamp for an access log message. totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation. totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation. triggered-by-connection-id - The connection ID for another operation that triggered the associated operation. triggered-by-operation-id - The operation ID for another operation that triggered the associated operation. uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation. uniqueness-request-control - A string representation of a uniqueness request control. used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set. used-privileges - A list of any privileges used in the course of processing the operation. using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool. verify-password-request-user-dn - The DN of the user targeted by a verify password extended request. work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread. yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of redact-value-components-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
redact-value-components-field-name
Description | The names of any custom fields for which to redact components within the value. This should generally only be used for fields that are not available through the redact-value-components-field property (for example, custom log fields defined in Server SDK extensions). |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The log fields whose values should be completely tokenized in log messages. The field name will be included, but the value will be replaced with a token that does not reveal the actual value, but that is generated from the value. If the same value appears multiple times in the log, then the same token will be used each time that value appears so that it will be possible to identify log messages for operations using that same value even if the value itself is not revealed. If possible, tokenized values will conform to the syntax used for the associated log field. The redacted values for each supported syntax include:
|
Default Value | None |
Allowed Values | abandon-message-id - The message ID for an operation to be abandoned or canceled. add-attributes - The list of attributes included in an add request. add-entry-dn - The DN of an entry to be added. add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation. additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation. administrative-operation - The message from an administrative operation request control included in the operation request. assured-replication-requirements - A JSON object with the assured replication requirements for the operation. assured-replication-requirements-altered-by-request-control - Indicates whether the assured replication requirements were altered by an assured replication request control. assured-replication-requirements-local-assurance-level - The level of replication assurance desired from servers in the same location as this Directory Server. assured-replication-requirements-remote-assurance-level - The level of replication assurance desired from servers in different locations than this Directory Server. assured-replication-requirements-response-delayed-by-assurance - Indicates whether the operation response was delayed by assured replication processing. assured-replication-requirements-assurance-timeout-millis - The maximum length of time to delay the response while waiting for replication assurance processing. authorization-dn - The DN used as the alternate authorization identity for an operation. auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation. bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token. bind-authentication-dn - The DN of the user that was authenticated by a bind operation. bind-authentication-failure-reason - A JSON object with information about the reason for an authentication failure. bind-authentication-failure-reason-id - The numeric identifier for the authentication failure reason. bind-authentication-failure-reason-message - A message with additional information about an authentication failure. bind-authentication-failure-reason-name - The name for the authentication failure reason. bind-authentication-type - The name of the authentication type for a bind request. bind-authorization-dn - The DN of the authorization identity resulting from a bind operation. bind-dn - The bind DN included in a bind request. bind-protocol-version - The protocol version specified in a bind request. bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server. bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation. change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry. cipher - The name of the cipher algorithm that was negotiated for the client connection. client-connection-policy - The name of the client connection policy that has been assigned to the associated connection. collect-support-data-comment - A comment provided when invoking the collect support data tool. collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted. collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server. collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive. collect-support-data-log-duration - The duration of log messages to include in a collect support data archive. collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive. collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive. collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive. collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive. collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive. collect-support-data-security-level - The security level to use when including data in a collect support data archive. collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel. compare-attribute-name - The name of the attribute targeted by a compare operation. compare-entry-dn - The DN of the entry targeted by a compare operation. connect-from-address - The address of the client from which a connection has been established. connect-from-port - The remote client port from which a connection has been established. connect-to-address - The server address to which a client connection has been established. connect-to-port - The server port to which a connection has been established. connection-id - The numeric identifier that the server has assigned to a client connection. delete-entry-dn - The DN of an entry targeted by a delete operation. delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation. deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation. deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation. deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation. deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation. deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation. deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation. diagnostic-message - The diagnostic message for an operation, which is included in the response to the client. disconnect-message - A message with additional information about a connection closure. disconnect-reason - The general reason for a connection closure. entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation. entry-rebalancing-base-dn - The base DN for an entry rebalancing operation. entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing. entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation. entry-rebalancing-size-limit - The size limit for an entry rebalancing operation. entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation. entry-rebalancing-source-server - A JSON object with information about the source server for an entry rebalancing operation. entry-rebalancing-source-server-address - The address of the source server for an entry rebalancing operation. entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-source-server-port - The address of the port server for an entry rebalancing operation. entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation. entry-rebalancing-target-server - A JSON object with information about the target server for an entry rebalancing operation. entry-rebalancing-target-server-address - The address of the target server for an entry rebalancing operation. entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-target-server-port - The address of the port server for an entry rebalancing operation. export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation. export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation. export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria. export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter. export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password. export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output. export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords. export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords. export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation. export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output. export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported. export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation. export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation. export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation. export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation. extended-request-oid - The request OID for an extended operation. extended-request-type - The name for an extended request type. extended-response-oid - The response OID for an extended operation extended-response-type - The name for an extended response type. externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation. generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation. generate-password-password-generator - The name of the password generator to use for a generate password extended operation. generate-password-password-policy - The name of the password policy to use for a generate password extended operation. get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation. gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind. gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind. gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind. indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit. indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit. instance-name - The name of the server instance. inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind. inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind. inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind. inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control. inter-server-request-controls - An array of JSON objects with information about inter-server request controls provided with the operation. inter-server-request-controls-component-name - The component name from an inter-server request control. inter-server-request-controls-operation-purpose - The operation-purpose from an inter-server request control. inter-server-request-controls-properties - An array of JSON objects with information about properties included in an inter-server request control. inter-server-request-controls-properties-name - The name of an inter-server request control property. inter-server-request-controls-properties-value - The value of an inter-server request control property. intermediate-client-request-control - A JSON object with information about an intermediate client request control included in the operation request. intermediate-client-request-control-client-identity - The client identity from an inter-server request control. intermediate-client-request-control-client-name - The client name from an inter-server request control. intermediate-client-request-control-downstream-client-address - The downstream client address from an inter-server request control. intermediate-client-request-control-downstream-client-secure - Indicates whether communication with a downstream client is secure. intermediate-client-request-control-downstream-request - A downstream request from an inter-server request control. intermediate-client-request-control-request-id - The request ID from an inter-server request control. intermediate-client-request-control-session-id - The session ID from an inter-server request control. intermediate-client-response-control - A JSON object with information about an intermediate client response control included in the operation result. intermediate-client-response-control-response-id - The response ID from an inter-server response control. intermediate-client-response-control-server-name - The server name from an inter-server response control. intermediate-client-response-control-session-id - The session ID from an inter-server response control. intermediate-client-response-control-upstream-response - An upstream response from an inter-server response control. intermediate-client-response-control-upstream-server-address - The upstream server address from an inter-server response control. intermediate-client-response-control-upstream-server-secure - Indicates whether communication with an upstream server is secure. intermediate-response-name - The name of an intermediate response that was returned to the client. intermediate-response-oid - The OID of an intermediate response that was returned to the client. intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client. intermediate-responses-returned - The number of intermediate response messages returned to the client. ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client. local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation. log-type - The log type for the access log message. matched-dn - The matched DN for the associated operation. message-id - The numeric message ID for the associated operation. message-type - The message type for the access log message. missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have. moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation. moddn-entry-dn - The DN of an entry targeted by a modify DN operation. moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation. moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation. modify-attributes - The names of the attributes targeted by a modify operation. modify-entry-dn - The DN of an entry targeted by a modify operation. multi-update-connection-id - The connection ID for an associated multi-update extended operation. multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation. multi-update-operation-id - The operation ID for an associated multi-update extended operation. non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control. non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them. oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind. operation-id - A numeric identifier for the associated operation. operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation. operation-purpose - A JSON object with information about an operation purpose request control included in the operation request. operation-purpose-application-name - The application name from an operation purpose request control. operation-purpose-application-version - The application version from an operation purpose request control. operation-purpose-code-location - The code location from an operation purpose request control. operation-purpose-request-purpose - The request purpose from an operation purpose request control. operation-type - The operation type for the access log message. origin - The origin for the associated operation. origin-details - A JSON object with details about the operation origin. origin-details-name - The name of an origin details item. origin-details-value - The value of an origin details item. pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt. pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded. pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password. password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation. password-modify-target-entry - The target user DN for a password modify extended operation. password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation. password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation. password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed. password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored. password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored. password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change. password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password. password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. peer-certificate-chain - A JSON object with information about a peer certificate chain presented during TLS negotiation. peer-certificate-chain-certificate-bytes - The hexadecimal representation of the bytes that comprise a certificate in the peer certificate chain. peer-certificate-chain-certificate-string - A string representation of a certificate in the peer certificate chain. peer-certificate-chain-certificate-type - The type of a certificate in the peer certificate chain. peer-certificate-chain-issuer-subject-dn - The issuer subject DN for a certificate in the peer certificate chain. peer-certificate-chain-not-after - The notAfter timestamp for a certificate in the peer certificate chain. peer-certificate-chain-not-before - The notBefore timestamp for a certificate in the peer certificate chain. peer-certificate-chain-serial-number - The serial number for a certificate in the peer certificate chain. peer-certificate-chain-signature-algorithm - The signature algorithm for a certificate in the peer certificate chain. peer-certificate-chain-signature-bytes - The signature bytes for a certificate in the peer certificate chain. peer-certificate-chain-subject-dn - The subject DN for a certificate in the peer certificate chain. ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt. pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password. pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation. processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation. product-name - The name of the server product that logged the message. protocol - The name of the protocol the client is using to communicate with the server. referral-urls - A list of the referral URLs returned in an operation result or a search result reference. remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation. replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation. replace-certificate-certificate-source - The certificate source for a replace certificate extended operation. replace-certificate-key-store-error - The key store error for a replace certificate extended operation. replace-certificate-key-store-path - The key store path for a replace certificate extended operation. replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation. replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation. replace-certificate-tool-error - The tool error for a replace certificate extended operation. replication-change-id - The replication change ID for the operation. request-control-oids - The OIDs of the request controls included in the operation request. requester-dn - The DN of the user that requested the operation. requester-ip-address - The IP address of the client that requested the operation. response-control-oids - The OIDs of the response controls included in the operation request. result-code-name - The name of the result code for the associated operation. result-code-value - The numeric value of the result code for the associated operation. search-base-dn - The base DN for a search operation. search-deref-policy - The alias dereferencing policy for a search operation. search-entries-returned - The number of search result entries that were returned to the client. search-filter - The filter for a search operation. search-indexed - Indicates whether a search operation is considered indexed. search-requested-attributes - The set of requested attributes for a search operation. search-result-entry-dn - The DN of a search result entry that was returned to the client. search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client. search-scope-name - The name of the scope for a search operation. search-scope-value - The numeric value of the scope for a search operation. search-size-limit - The requested size limit for a search operation. search-time-limit-seconds - The requested time limit (in seconds) for a search operation. search-types-only - Indicates whether the search operation should return only attribute types or both types and values. security-negotiation-properties - Information about a set of additional properties associated with a security negotiation. security-negotiation-properties-name - The name of a security negotiation property. security-negotiation-properties-value - The value of a security negotiation property. server-assurance-results - An array of JSON objects with information about server assurance results for an operation. server-assurance-results-replica-id - The replica ID for a server assurance result. server-assurance-results-replication-server-id - The replication server ID for a server assurance result. server-assurance-results-result-code - The result code for a server assurance result. servers-accessed - A list of the servers accessed during the course of processing the operation. single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation. single-use-token-token-id - The token ID for a single-use token extended operation. single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation. single-use-token-user-dn - The target user DN for a single-use token extended operation. startup-id - A unique value generated when the server was started. streamed-entries-from-index - The name of an index from which search results were streamed. target-host - The address of a server to which the operation was formatted for processing. target-port - The port of a server to which the operation was formatted for processing. target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing. thread-id - A numeric identifier for the thread that processed the operation. timestamp - The timestamp for an access log message. totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation. totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation. triggered-by-connection-id - The connection ID for another operation that triggered the associated operation. triggered-by-operation-id - The operation ID for another operation that triggered the associated operation. uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation. uniqueness-request-control - A string representation of a uniqueness request control. used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set. used-privileges - A list of any privileges used in the course of processing the operation. using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool. verify-password-request-user-dn - The DN of the user targeted by a verify password extended request. work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread. yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of tokenize-entire-value-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
tokenize-entire-value-field-name
Description | The names of any custom fields whose values should be completely tokenized. This should generally only be used for fields that are not available through the tokenize-entire-value-field property (for example, custom log fields defined in Server SDK extensions). |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of tokenize-entire-value-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
tokenize-value-components-field
Description | The log fields whose values will include tokenized components. Tokenizing value components is really only possible for fields with the string list, DN, filter, and JSON object syntaxes. For fields with other syntaxes, attempting to tokenize value components will cause the entire value to be tokenized. For fields with the string list syntax, each item in the list will be tokenized individually. For example, a list of two items will appear as "{TOKENIZED:token-value-1},{TOKENIZED:token-value-1}". For fields with the DN syntax, attribute values may be tokenized, but the rest of the DN may remain intact (for example, "dc={TOKENIZED:token-value-1},dc={TOKENIZED:token-value-2}"). The same is true for fields with a search filter syntax (for example, "(&(uid={TOKENIZED:token-value-1})(objectClass={TOKENIZED:token-value-2}))". In both cases, the syntax may optionally be configured with the names of the attributes to include in or exclude from the tokenization so that only certain attributes (or all but certain attributes) will have their values tokenized and all other attribute values will be preserved. For fields with a JSON object syntax, JSON field values may be tokenized, but the names of the fields will not be (for example, "{ 'firstName':'{TOKENIZED:token-value-1}', 'lastName':'{TOKENIZED:token-value-2}' }"). The syntax may optionally be configured with the names of the fields to include in or exclude from the tokenization so that only certain fields (or all but certain fields) will have their values tokenized. Note that if a JSON field is to be tokenized, the value of that field will always be replaced with a generated string, regardless of the data type that the JSON value originally had. |
Default Value | None |
Allowed Values | abandon-message-id - The message ID for an operation to be abandoned or canceled. add-attributes - The list of attributes included in an add request. add-entry-dn - The DN of an entry to be added. add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation. additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation. administrative-operation - The message from an administrative operation request control included in the operation request. assured-replication-requirements - A JSON object with the assured replication requirements for the operation. assured-replication-requirements-altered-by-request-control - Indicates whether the assured replication requirements were altered by an assured replication request control. assured-replication-requirements-local-assurance-level - The level of replication assurance desired from servers in the same location as this Directory Server. assured-replication-requirements-remote-assurance-level - The level of replication assurance desired from servers in different locations than this Directory Server. assured-replication-requirements-response-delayed-by-assurance - Indicates whether the operation response was delayed by assured replication processing. assured-replication-requirements-assurance-timeout-millis - The maximum length of time to delay the response while waiting for replication assurance processing. authorization-dn - The DN used as the alternate authorization identity for an operation. auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation. bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token. bind-authentication-dn - The DN of the user that was authenticated by a bind operation. bind-authentication-failure-reason - A JSON object with information about the reason for an authentication failure. bind-authentication-failure-reason-id - The numeric identifier for the authentication failure reason. bind-authentication-failure-reason-message - A message with additional information about an authentication failure. bind-authentication-failure-reason-name - The name for the authentication failure reason. bind-authentication-type - The name of the authentication type for a bind request. bind-authorization-dn - The DN of the authorization identity resulting from a bind operation. bind-dn - The bind DN included in a bind request. bind-protocol-version - The protocol version specified in a bind request. bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server. bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation. change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry. cipher - The name of the cipher algorithm that was negotiated for the client connection. client-connection-policy - The name of the client connection policy that has been assigned to the associated connection. collect-support-data-comment - A comment provided when invoking the collect support data tool. collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted. collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect. collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server. collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive. collect-support-data-log-duration - The duration of log messages to include in a collect support data archive. collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive. collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive. collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive. collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive. collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive. collect-support-data-security-level - The security level to use when including data in a collect support data archive. collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel. compare-attribute-name - The name of the attribute targeted by a compare operation. compare-entry-dn - The DN of the entry targeted by a compare operation. connect-from-address - The address of the client from which a connection has been established. connect-from-port - The remote client port from which a connection has been established. connect-to-address - The server address to which a client connection has been established. connect-to-port - The server port to which a connection has been established. connection-id - The numeric identifier that the server has assigned to a client connection. delete-entry-dn - The DN of an entry targeted by a delete operation. delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation. deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation. deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation. deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation. deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation. deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation. deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation. diagnostic-message - The diagnostic message for an operation, which is included in the response to the client. disconnect-message - A message with additional information about a connection closure. disconnect-reason - The general reason for a connection closure. entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation. entry-rebalancing-base-dn - The base DN for an entry rebalancing operation. entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation. entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing. entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation. entry-rebalancing-size-limit - The size limit for an entry rebalancing operation. entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation. entry-rebalancing-source-server - A JSON object with information about the source server for an entry rebalancing operation. entry-rebalancing-source-server-address - The address of the source server for an entry rebalancing operation. entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-source-server-port - The address of the port server for an entry rebalancing operation. entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation. entry-rebalancing-target-server - A JSON object with information about the target server for an entry rebalancing operation. entry-rebalancing-target-server-address - The address of the target server for an entry rebalancing operation. entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation. entry-rebalancing-target-server-port - The address of the port server for an entry rebalancing operation. export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation. export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation. export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria. export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter. export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password. export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation. export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output. export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords. export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords. export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation. export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output. export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported. export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation. export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation. export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation. export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation. extended-request-oid - The request OID for an extended operation. extended-request-type - The name for an extended request type. extended-response-oid - The response OID for an extended operation extended-response-type - The name for an extended response type. externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind. generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation. generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation. generate-password-password-generator - The name of the password generator to use for a generate password extended operation. generate-password-password-policy - The name of the password policy to use for a generate password extended operation. get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation. gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind. gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind. gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind. indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit. indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit. instance-name - The name of the server instance. inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind. inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind. inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind. inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control. inter-server-request-controls - An array of JSON objects with information about inter-server request controls provided with the operation. inter-server-request-controls-component-name - The component name from an inter-server request control. inter-server-request-controls-operation-purpose - The operation-purpose from an inter-server request control. inter-server-request-controls-properties - An array of JSON objects with information about properties included in an inter-server request control. inter-server-request-controls-properties-name - The name of an inter-server request control property. inter-server-request-controls-properties-value - The value of an inter-server request control property. intermediate-client-request-control - A JSON object with information about an intermediate client request control included in the operation request. intermediate-client-request-control-client-identity - The client identity from an inter-server request control. intermediate-client-request-control-client-name - The client name from an inter-server request control. intermediate-client-request-control-downstream-client-address - The downstream client address from an inter-server request control. intermediate-client-request-control-downstream-client-secure - Indicates whether communication with a downstream client is secure. intermediate-client-request-control-downstream-request - A downstream request from an inter-server request control. intermediate-client-request-control-request-id - The request ID from an inter-server request control. intermediate-client-request-control-session-id - The session ID from an inter-server request control. intermediate-client-response-control - A JSON object with information about an intermediate client response control included in the operation result. intermediate-client-response-control-response-id - The response ID from an inter-server response control. intermediate-client-response-control-server-name - The server name from an inter-server response control. intermediate-client-response-control-session-id - The session ID from an inter-server response control. intermediate-client-response-control-upstream-response - An upstream response from an inter-server response control. intermediate-client-response-control-upstream-server-address - The upstream server address from an inter-server response control. intermediate-client-response-control-upstream-server-secure - Indicates whether communication with an upstream server is secure. intermediate-response-name - The name of an intermediate response that was returned to the client. intermediate-response-oid - The OID of an intermediate response that was returned to the client. intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client. intermediate-responses-returned - The number of intermediate response messages returned to the client. ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client. local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation. log-type - The log type for the access log message. matched-dn - The matched DN for the associated operation. message-id - The numeric message ID for the associated operation. message-type - The message type for the access log message. missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have. moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation. moddn-entry-dn - The DN of an entry targeted by a modify DN operation. moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation. moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation. modify-attributes - The names of the attributes targeted by a modify operation. modify-entry-dn - The DN of an entry targeted by a modify operation. multi-update-connection-id - The connection ID for an associated multi-update extended operation. multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation. multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation. multi-update-operation-id - The operation ID for an associated multi-update extended operation. non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control. non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them. oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind. oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active. oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind. oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind. operation-id - A numeric identifier for the associated operation. operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation. operation-purpose - A JSON object with information about an operation purpose request control included in the operation request. operation-purpose-application-name - The application name from an operation purpose request control. operation-purpose-application-version - The application version from an operation purpose request control. operation-purpose-code-location - The code location from an operation purpose request control. operation-purpose-request-purpose - The request purpose from an operation purpose request control. operation-type - The operation type for the access log message. origin - The origin for the associated operation. origin-details - A JSON object with details about the operation origin. origin-details-name - The name of an origin details item. origin-details-value - The value of an origin details item. pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt. pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded. pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password. password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation. password-modify-target-entry - The target user DN for a password modify extended operation. password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation. password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation. password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed. password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored. password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored. password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change. password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password. password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt. peer-certificate-chain - A JSON object with information about a peer certificate chain presented during TLS negotiation. peer-certificate-chain-certificate-bytes - The hexadecimal representation of the bytes that comprise a certificate in the peer certificate chain. peer-certificate-chain-certificate-string - A string representation of a certificate in the peer certificate chain. peer-certificate-chain-certificate-type - The type of a certificate in the peer certificate chain. peer-certificate-chain-issuer-subject-dn - The issuer subject DN for a certificate in the peer certificate chain. peer-certificate-chain-not-after - The notAfter timestamp for a certificate in the peer certificate chain. peer-certificate-chain-not-before - The notBefore timestamp for a certificate in the peer certificate chain. peer-certificate-chain-serial-number - The serial number for a certificate in the peer certificate chain. peer-certificate-chain-signature-algorithm - The signature algorithm for a certificate in the peer certificate chain. peer-certificate-chain-signature-bytes - The signature bytes for a certificate in the peer certificate chain. peer-certificate-chain-subject-dn - The subject DN for a certificate in the peer certificate chain. ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt. ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt. pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt. pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password. pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation. processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation. product-name - The name of the server product that logged the message. protocol - The name of the protocol the client is using to communicate with the server. referral-urls - A list of the referral URLs returned in an operation result or a search result reference. remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation. replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation. replace-certificate-certificate-source - The certificate source for a replace certificate extended operation. replace-certificate-key-store-error - The key store error for a replace certificate extended operation. replace-certificate-key-store-path - The key store path for a replace certificate extended operation. replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation. replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation. replace-certificate-tool-error - The tool error for a replace certificate extended operation. replication-change-id - The replication change ID for the operation. request-control-oids - The OIDs of the request controls included in the operation request. requester-dn - The DN of the user that requested the operation. requester-ip-address - The IP address of the client that requested the operation. response-control-oids - The OIDs of the response controls included in the operation request. result-code-name - The name of the result code for the associated operation. result-code-value - The numeric value of the result code for the associated operation. search-base-dn - The base DN for a search operation. search-deref-policy - The alias dereferencing policy for a search operation. search-entries-returned - The number of search result entries that were returned to the client. search-filter - The filter for a search operation. search-indexed - Indicates whether a search operation is considered indexed. search-requested-attributes - The set of requested attributes for a search operation. search-result-entry-dn - The DN of a search result entry that was returned to the client. search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client. search-scope-name - The name of the scope for a search operation. search-scope-value - The numeric value of the scope for a search operation. search-size-limit - The requested size limit for a search operation. search-time-limit-seconds - The requested time limit (in seconds) for a search operation. search-types-only - Indicates whether the search operation should return only attribute types or both types and values. security-negotiation-properties - Information about a set of additional properties associated with a security negotiation. security-negotiation-properties-name - The name of a security negotiation property. security-negotiation-properties-value - The value of a security negotiation property. server-assurance-results - An array of JSON objects with information about server assurance results for an operation. server-assurance-results-replica-id - The replica ID for a server assurance result. server-assurance-results-replication-server-id - The replication server ID for a server assurance result. server-assurance-results-result-code - The result code for a server assurance result. servers-accessed - A list of the servers accessed during the course of processing the operation. single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation. single-use-token-token-id - The token ID for a single-use token extended operation. single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation. single-use-token-user-dn - The target user DN for a single-use token extended operation. startup-id - A unique value generated when the server was started. streamed-entries-from-index - The name of an index from which search results were streamed. target-host - The address of a server to which the operation was formatted for processing. target-port - The port of a server to which the operation was formatted for processing. target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing. thread-id - A numeric identifier for the thread that processed the operation. timestamp - The timestamp for an access log message. totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation. totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation. triggered-by-connection-id - The connection ID for another operation that triggered the associated operation. triggered-by-operation-id - The operation ID for another operation that triggered the associated operation. uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation. uniqueness-request-control - A string representation of a uniqueness request control. used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set. used-privileges - A list of any privileges used in the course of processing the operation. using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool. verify-password-request-user-dn - The DN of the user targeted by a verify password extended request. work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread. yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind. yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation. yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of tokenize-value-components-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
tokenize-value-components-field-name
Description | The names of any custom fields for which to tokenize components within the value. This should generally only be used for fields that are not available through the tokenize-value-components-field property (for example, custom log fields defined in Server SDK extensions). |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | The JSON Formatted Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of tokenize-value-components-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled. |
To list the configured Log Field Behaviors:
dsconfig list-log-field-behaviors [--property {propertyName}] ...
To view the configuration for an existing Log Field Behavior:
dsconfig get-log-field-behavior-prop --behavior-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Log Field Behavior:
dsconfig set-log-field-behavior-prop --behavior-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new JSON Formatted Access Log Field Behavior:
dsconfig create-log-field-behavior --behavior-name {name} --type json-formatted-access [--set {propertyName}:{propertyValue}] ...
To delete an existing Log Field Behavior:
dsconfig delete-log-field-behavior --behavior-name {name}