Text Access Log Field Behavior

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

Text Access Log Field Behaviors are used to define the to use when logging fields to a text-formatted access log.

Parent Component Relations to This Component Properties dsconfig Usage

Parent Component

The Text Access Log Field Behavior component inherits from the Log Field Behavior

Relations to This Component

The following components have a direct aggregation relation to Text Access Log Field Behaviors:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 default-behavior
 preserve-field
 preserve-field-name
 omit-field
 omit-field-name
 redact-entire-value-field
 redact-entire-value-field-name
 redact-value-components-field
 redact-value-components-field-name
 tokenize-entire-value-field
 tokenize-entire-value-field-name
 tokenize-value-components-field
 tokenize-value-components-field-name

Basic Properties

description

Description
A description for this Log Field Behavior
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

default-behavior

Description
The default behavior that the server should exhibit for fields for which no explicit behavior is defined. If no default behavior is defined, the server will fall back to using the default behavior configured for the syntax used for each log field.
Default Value
None
Allowed Values
preserve - Log the field with the intended value. The value will be preserved, although it may be sanitized for parsability or safety purposes (for example, to escape special characters in the value), and it may be truncated if the value is too long.

omit - Completely omit the field from the log message. Neither the field name or its value will be included.

redact-entire-value - Log the field name, but redact the entire value so that it is not possible to determine what the original value was. In many cases, the redacted value will preserve the syntax for the original value (for example, the redacted representation of an integer will be a placeholder integer value), but this may not be possible for all syntaxes (for example, Boolean values).

redact-value-components - Log the field name, but redact components of the provided value to the extent possible. If values of this syntax may be comprised of multiple components, then some components may be individually redacted (for example, in an LDAP DN or search filter, attribute names may be preserved while the values are redacted, and it may even be possible to configure redaction for only values of a subset of attributes). If the syntax does not support redacting components within a value, then the entire value will be redacted.

tokenize-entire-value - Log the field name, but generate a token for the entire value that protects the actual content of the original value while still making it possible to identify other places where the same value appears elsewhere in the log. In many cases, the tokenized value will preserve the syntax for the original value, but this may not be possible for all syntaxes.

tokenize-value-components - Log the field name, but tokenize components of the provided value to the extent possible (for example, in an LDAP DN or search filter, each attribute value may be replaced with a token that represents that value, while attribute names may be preserved). If the syntax does not support tokenizing components within a value, then the entire value will be tokenized.
Multi-Valued
No
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of default-behavior values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

preserve-field

Description
The log fields whose values should be logged with the intended value. The values for these fields will be preserved, although they may be sanitized for parsability or safety purposes (for example, to escape special characters in the value), and values that are too long may be truncated.
Default Value
None
Allowed Values
abandon-message-id - The message ID for an operation to be abandoned or canceled.

add-attributes - The list of attributes included in an add request.

add-entry-dn - The DN of an entry to be added.

add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation.

additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation.

administrative-operation - The message from an administrative operation request control included in the operation request.

assurance-timeout-millis - The requested replication assurance timeout, in milliseconds.

authorization-dn - The DN used as the alternate authorization identity for an operation.

auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation.

bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token.

bind-authentication-dn - The DN of the user that was authenticated by a bind operation.

bind-authentication-failure-id - The numeric identifier for a general authentication failure reason.

bind-authentication-failure-name - The name of the identifier for a general authentication failure reason.

bind-authentication-failure-reason - The name for a general authentication failure reason.

bind-authentication-type - The name of the authentication type for a bind request.

bind-authorization-dn - The DN of the authorization identity resulting from a bind operation.

bind-dn - The bind DN included in a bind request.

bind-protocol-version - The protocol version specified in a bind request.

bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server.

bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation.

change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry.

cipher - The name of the cipher algorithm that was negotiated for the client connection.

client-connection-policy - The name of the client connection policy that has been assigned to the associated connection.

collect-support-data-comment - A comment provided when invoking the collect support data tool.

collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted.

collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server.

collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump

collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive.

collect-support-data-log-duration - The duration of log messages to include in a collect support data archive.

collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive.

collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive.

collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive.

collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive.

collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive.

collect-support-data-security-level - The security level to use when including data in a collect support data archive.

collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel.

compare-attribute-name - The name of the attribute targeted by a compare operation.

compare-entry-dn - The DN of the entry targeted by a compare operation.

connect-from-address - The address of the client from which a connection has been established.

connect-from-port - The remote client port from which a connection has been established.

connect-to-address - The server address to which a client connection has been established.

connect-to-port - The server port to which a connection has been established.

connection-id - The numeric identifier that the server has assigned to a client connection.

delete-entry-dn - The DN of an entry targeted by a delete operation.

delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation.

deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation.

deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation.

deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation.

deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation.

deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation.

deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation.

diagnostic-message - The diagnostic message for an operation, which is included in the response to the client.

disconnect-message - A message with additional information about a connection closure.

disconnect-reason - The general reason for a connection closure.

entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation.

entry-rebalancing-base-dn - The base DN for an entry rebalancing operation.

entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing.

entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation.

entry-rebalancing-size-limit - The size limit for an entry rebalancing operation.

entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation.

entry-rebalancing-source-server - The address and port of the source server used for an entry rebalancing operation.

entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation.

entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation.

entry-rebalancing-target-server - The address and port of the target server used for an entry rebalancing operation.

entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation.

export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation.

export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation.

export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria.

export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter.

export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password.

export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output.

export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords.

export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords.

export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation.

export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output.

export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported.

export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation.

extended-request-oid - The request OID for an extended operation.

extended-request-type - The name for an extended request type.

extended-response-oid - The response OID for an extended operation

extended-response-type - The name for an extended response type.

externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation.

generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation.

generate-password-password-generator - The name of the password generator to use for a generate password extended operation.

generate-password-password-policy - The name of the password policy to use for a generate password extended operation.

get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation.

gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind.

gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind.

gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind.

indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit.

indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit.

instance-name - The name of the server instance.

inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind.

inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind.

inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind.

inter-server-component - The name of the component that generated an inter-server request control included in the operation request.

inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control.

inter-server-properties - A string representation of the properties included in an inter-server request control

inter-server-operation-purpose - The operation purpose included in an inter-server request control included in the operation request.

intermediate-client-request - A string representation of an intermediate client request control included in the operation request.

intermediate-client-result - A string representation of an intermediate client response control included in the operation response.

intermediate-response-name - The name of an intermediate response that was returned to the client.

intermediate-response-oid - The OID of an intermediate response that was returned to the client.

intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client.

intermediate-responses-returned - The number of intermediate response messages returned to the client.

issuer-certificate-subject-dn - The subject DN for an issuer certificate included in the client certificate chain presented during TLS negotiation.

ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client.

local-assurance-level - The name of the requested local replication assurance level for the associated operation.

local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation.

matched-dn - The matched DN for the associated operation.

message-id - The numeric message ID for the associated operation.

missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have.

moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation.

moddn-entry-dn - The DN of an entry targeted by a modify DN operation.

moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation.

moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation.

modify-attributes - The names of the attributes targeted by a modify operation.

modify-entry-dn - The DN of an entry targeted by a modify operation.

multi-update-connection-id - The connection ID for an associated multi-update extended operation.

multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation.

multi-update-operation-id - The operation ID for an associated multi-update extended operation.

non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control.

non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them.

oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind.

operation-id - A numeric identifier for the associated operation.

operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation.

operation-purpose - A string representation of an operation purpose request control included in the operation request.

origin - The origin for the associated operation.

pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt.

pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded.

pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password.

password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation.

password-modify-target-entry - The target user DN for a password modify extended operation.

password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation.

password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation.

password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed.

password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored.

password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored.

password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change.

password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password.

password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

peer-certificate-subject-dn - The subject DN for the peer certificate presented in the client certificate chain during TLS negotiation.

ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt.

pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password.

pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation.

processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation.

product-name - The name of the server product that logged the message.

protocol - The name of the protocol the client is using to communicate with the server.

referral-urls - A list of the referral URLs returned in an operation result or a search result reference.

remote-assurance-level - The name of the requested remote replication assurance level for the associated operation.

remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation.

replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation.

replace-certificate-certificate-source - The certificate source for a replace certificate extended operation.

replace-certificate-key-store-error - The key store error for a replace certificate extended operation.

replace-certificate-key-store-path - The key store path for a replace certificate extended operation.

replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation.

replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation.

replace-certificate-tool-error - The tool error for a replace certificate extended operation.

replication-change-id - The replication change ID for the operation.

request-control-oids - The OIDs of the request controls included in the operation request.

requester-dn - The DN of the user that requested the operation.

requester-ip-address - The IP address of the client that requested the operation.

response-control-oids - The OIDs of the response controls included in the operation request.

response-delayed-by-assurance - Indicates whether the response to the operation was delayed by replication assurance processing.

result-code-name - The name of the result code for the associated operation.

result-code-value - The numeric value of the result code for the associated operation.

search-base-dn - The base DN for a search operation.

search-deref-policy - The alias dereferencing policy for a search operation.

search-entries-returned - The number of search result entries that were returned to the client.

search-filter - The filter for a search operation.

search-requested-attributes - The set of requested attributes for a search operation.

search-result-entry-dn - The DN of a search result entry that was returned to the client.

search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client.

search-scope-value - The numeric value of the scope for a search operation.

search-size-limit - The requested size limit for a search operation.

search-time-limit-seconds - The requested time limit (in seconds) for a search operation.

search-types-only - Indicates whether the search operation should return only attribute types or both types and values.

search-unindexed - Indicates whether the search operation was considered unindexed.

server-assurance-results - A list of the replication assurance results from each of the servers.

servers-accessed - A list of the servers accessed during the course of processing the operation.

single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation.

single-use-token-token-id - The token ID for a single-use token extended operation.

single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation.

single-use-token-user-dn - The target user DN for a single-use token extended operation.

startup-id - A unique value generated when the server was started.

streamed-entries-from-index - The name of an index from which search results were streamed.

target-host - The address of a server to which the operation was formatted for processing.

target-port - The port of a server to which the operation was formatted for processing.

target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing.

thread-id - A numeric identifier for the thread that processed the operation.

totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation.

totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation.

triggered-by-connection-id - The connection ID for another operation that triggered the associated operation.

triggered-by-operation-id - The operation ID for another operation that triggered the associated operation.

uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation.

uniqueness-request-control - A string representation of a uniqueness request control.

used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set.

used-privileges - A list of any privileges used in the course of processing the operation.

using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool.

verify-password-request-user-dn - The DN of the user targeted by a verify password extended request.

work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread.

yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation.
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of preserve-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

preserve-field-name

Description
The names of any custom fields whose values should be preserved. This should generally only be used for fields that are not available through the preserve-field property (for example, custom log fields defined in Server SDK extensions).
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of preserve-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

omit-field

Description
The log fields that should be omitted entirely from log messages. Neither the field name nor value will be included.
Default Value
None
Allowed Values
abandon-message-id - The message ID for an operation to be abandoned or canceled.

add-attributes - The list of attributes included in an add request.

add-entry-dn - The DN of an entry to be added.

add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation.

additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation.

administrative-operation - The message from an administrative operation request control included in the operation request.

assurance-timeout-millis - The requested replication assurance timeout, in milliseconds.

authorization-dn - The DN used as the alternate authorization identity for an operation.

auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation.

bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token.

bind-authentication-dn - The DN of the user that was authenticated by a bind operation.

bind-authentication-failure-id - The numeric identifier for a general authentication failure reason.

bind-authentication-failure-name - The name of the identifier for a general authentication failure reason.

bind-authentication-failure-reason - The name for a general authentication failure reason.

bind-authentication-type - The name of the authentication type for a bind request.

bind-authorization-dn - The DN of the authorization identity resulting from a bind operation.

bind-dn - The bind DN included in a bind request.

bind-protocol-version - The protocol version specified in a bind request.

bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server.

bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation.

change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry.

cipher - The name of the cipher algorithm that was negotiated for the client connection.

client-connection-policy - The name of the client connection policy that has been assigned to the associated connection.

collect-support-data-comment - A comment provided when invoking the collect support data tool.

collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted.

collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server.

collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump

collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive.

collect-support-data-log-duration - The duration of log messages to include in a collect support data archive.

collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive.

collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive.

collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive.

collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive.

collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive.

collect-support-data-security-level - The security level to use when including data in a collect support data archive.

collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel.

compare-attribute-name - The name of the attribute targeted by a compare operation.

compare-entry-dn - The DN of the entry targeted by a compare operation.

connect-from-address - The address of the client from which a connection has been established.

connect-from-port - The remote client port from which a connection has been established.

connect-to-address - The server address to which a client connection has been established.

connect-to-port - The server port to which a connection has been established.

connection-id - The numeric identifier that the server has assigned to a client connection.

delete-entry-dn - The DN of an entry targeted by a delete operation.

delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation.

deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation.

deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation.

deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation.

deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation.

deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation.

deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation.

diagnostic-message - The diagnostic message for an operation, which is included in the response to the client.

disconnect-message - A message with additional information about a connection closure.

disconnect-reason - The general reason for a connection closure.

entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation.

entry-rebalancing-base-dn - The base DN for an entry rebalancing operation.

entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing.

entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation.

entry-rebalancing-size-limit - The size limit for an entry rebalancing operation.

entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation.

entry-rebalancing-source-server - The address and port of the source server used for an entry rebalancing operation.

entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation.

entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation.

entry-rebalancing-target-server - The address and port of the target server used for an entry rebalancing operation.

entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation.

export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation.

export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation.

export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria.

export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter.

export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password.

export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output.

export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords.

export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords.

export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation.

export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output.

export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported.

export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation.

extended-request-oid - The request OID for an extended operation.

extended-request-type - The name for an extended request type.

extended-response-oid - The response OID for an extended operation

extended-response-type - The name for an extended response type.

externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation.

generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation.

generate-password-password-generator - The name of the password generator to use for a generate password extended operation.

generate-password-password-policy - The name of the password policy to use for a generate password extended operation.

get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation.

gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind.

gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind.

gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind.

indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit.

indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit.

instance-name - The name of the server instance.

inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind.

inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind.

inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind.

inter-server-component - The name of the component that generated an inter-server request control included in the operation request.

inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control.

inter-server-properties - A string representation of the properties included in an inter-server request control

inter-server-operation-purpose - The operation purpose included in an inter-server request control included in the operation request.

intermediate-client-request - A string representation of an intermediate client request control included in the operation request.

intermediate-client-result - A string representation of an intermediate client response control included in the operation response.

intermediate-response-name - The name of an intermediate response that was returned to the client.

intermediate-response-oid - The OID of an intermediate response that was returned to the client.

intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client.

intermediate-responses-returned - The number of intermediate response messages returned to the client.

issuer-certificate-subject-dn - The subject DN for an issuer certificate included in the client certificate chain presented during TLS negotiation.

ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client.

local-assurance-level - The name of the requested local replication assurance level for the associated operation.

local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation.

matched-dn - The matched DN for the associated operation.

message-id - The numeric message ID for the associated operation.

missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have.

moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation.

moddn-entry-dn - The DN of an entry targeted by a modify DN operation.

moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation.

moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation.

modify-attributes - The names of the attributes targeted by a modify operation.

modify-entry-dn - The DN of an entry targeted by a modify operation.

multi-update-connection-id - The connection ID for an associated multi-update extended operation.

multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation.

multi-update-operation-id - The operation ID for an associated multi-update extended operation.

non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control.

non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them.

oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind.

operation-id - A numeric identifier for the associated operation.

operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation.

operation-purpose - A string representation of an operation purpose request control included in the operation request.

origin - The origin for the associated operation.

pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt.

pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded.

pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password.

password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation.

password-modify-target-entry - The target user DN for a password modify extended operation.

password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation.

password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation.

password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed.

password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored.

password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored.

password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change.

password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password.

password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

peer-certificate-subject-dn - The subject DN for the peer certificate presented in the client certificate chain during TLS negotiation.

ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt.

pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password.

pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation.

processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation.

product-name - The name of the server product that logged the message.

protocol - The name of the protocol the client is using to communicate with the server.

referral-urls - A list of the referral URLs returned in an operation result or a search result reference.

remote-assurance-level - The name of the requested remote replication assurance level for the associated operation.

remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation.

replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation.

replace-certificate-certificate-source - The certificate source for a replace certificate extended operation.

replace-certificate-key-store-error - The key store error for a replace certificate extended operation.

replace-certificate-key-store-path - The key store path for a replace certificate extended operation.

replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation.

replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation.

replace-certificate-tool-error - The tool error for a replace certificate extended operation.

replication-change-id - The replication change ID for the operation.

request-control-oids - The OIDs of the request controls included in the operation request.

requester-dn - The DN of the user that requested the operation.

requester-ip-address - The IP address of the client that requested the operation.

response-control-oids - The OIDs of the response controls included in the operation request.

response-delayed-by-assurance - Indicates whether the response to the operation was delayed by replication assurance processing.

result-code-name - The name of the result code for the associated operation.

result-code-value - The numeric value of the result code for the associated operation.

search-base-dn - The base DN for a search operation.

search-deref-policy - The alias dereferencing policy for a search operation.

search-entries-returned - The number of search result entries that were returned to the client.

search-filter - The filter for a search operation.

search-requested-attributes - The set of requested attributes for a search operation.

search-result-entry-dn - The DN of a search result entry that was returned to the client.

search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client.

search-scope-value - The numeric value of the scope for a search operation.

search-size-limit - The requested size limit for a search operation.

search-time-limit-seconds - The requested time limit (in seconds) for a search operation.

search-types-only - Indicates whether the search operation should return only attribute types or both types and values.

search-unindexed - Indicates whether the search operation was considered unindexed.

server-assurance-results - A list of the replication assurance results from each of the servers.

servers-accessed - A list of the servers accessed during the course of processing the operation.

single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation.

single-use-token-token-id - The token ID for a single-use token extended operation.

single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation.

single-use-token-user-dn - The target user DN for a single-use token extended operation.

startup-id - A unique value generated when the server was started.

streamed-entries-from-index - The name of an index from which search results were streamed.

target-host - The address of a server to which the operation was formatted for processing.

target-port - The port of a server to which the operation was formatted for processing.

target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing.

thread-id - A numeric identifier for the thread that processed the operation.

totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation.

totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation.

triggered-by-connection-id - The connection ID for another operation that triggered the associated operation.

triggered-by-operation-id - The operation ID for another operation that triggered the associated operation.

uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation.

uniqueness-request-control - A string representation of a uniqueness request control.

used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set.

used-privileges - A list of any privileges used in the course of processing the operation.

using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool.

verify-password-request-user-dn - The DN of the user targeted by a verify password extended request.

work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread.

yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation.
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of omit-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

omit-field-name

Description
The names of any custom fields that should be omitted from log messages. This should generally only be used for fields that are not available through the omit-field property (for example, custom log fields defined in Server SDK extensions).
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of omit-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

redact-entire-value-field

Description
The log fields whose values should be completely redacted in log messages. The field name will be included, but with a fixed value that does not reflect the actual value for the field. If possible, the redacted value will conform to the syntax used for the associated log field. The redacted values for each supported syntax include:
  • For fields with a string, string list, and Boolean syntax, the redacted value will be "{REDACTED}". Unfortunately, it isn't possible to redact a Boolean value in a way that preserves the syntax.
  • For fields with a DN syntax, the redacted value will be "redacted={REDACTED}".
  • For fields with a filter syntax, the redacted value will be "(redacted={REDACTED})".
  • For fields with a JSON object syntax, the redacted value will be "{ 'redacted':'{REDACTED}' }".
  • For fields with an integer syntax, the redacted value will be -999999999999999999.
  • For fields with a floating-point number syntax, the redacted value will be -999999.999999.
  • For fields with a generalized time syntax, the redacted value will be "99990101000000.000Z".
  • For fields with an RFC 3339 timestamp syntax, the redacted value will be "9999-01-01T00:00:00.000Z".

Default Value
None
Allowed Values
abandon-message-id - The message ID for an operation to be abandoned or canceled.

add-attributes - The list of attributes included in an add request.

add-entry-dn - The DN of an entry to be added.

add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation.

additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation.

administrative-operation - The message from an administrative operation request control included in the operation request.

assurance-timeout-millis - The requested replication assurance timeout, in milliseconds.

authorization-dn - The DN used as the alternate authorization identity for an operation.

auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation.

bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token.

bind-authentication-dn - The DN of the user that was authenticated by a bind operation.

bind-authentication-failure-id - The numeric identifier for a general authentication failure reason.

bind-authentication-failure-name - The name of the identifier for a general authentication failure reason.

bind-authentication-failure-reason - The name for a general authentication failure reason.

bind-authentication-type - The name of the authentication type for a bind request.

bind-authorization-dn - The DN of the authorization identity resulting from a bind operation.

bind-dn - The bind DN included in a bind request.

bind-protocol-version - The protocol version specified in a bind request.

bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server.

bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation.

change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry.

cipher - The name of the cipher algorithm that was negotiated for the client connection.

client-connection-policy - The name of the client connection policy that has been assigned to the associated connection.

collect-support-data-comment - A comment provided when invoking the collect support data tool.

collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted.

collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server.

collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump

collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive.

collect-support-data-log-duration - The duration of log messages to include in a collect support data archive.

collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive.

collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive.

collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive.

collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive.

collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive.

collect-support-data-security-level - The security level to use when including data in a collect support data archive.

collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel.

compare-attribute-name - The name of the attribute targeted by a compare operation.

compare-entry-dn - The DN of the entry targeted by a compare operation.

connect-from-address - The address of the client from which a connection has been established.

connect-from-port - The remote client port from which a connection has been established.

connect-to-address - The server address to which a client connection has been established.

connect-to-port - The server port to which a connection has been established.

connection-id - The numeric identifier that the server has assigned to a client connection.

delete-entry-dn - The DN of an entry targeted by a delete operation.

delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation.

deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation.

deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation.

deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation.

deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation.

deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation.

deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation.

diagnostic-message - The diagnostic message for an operation, which is included in the response to the client.

disconnect-message - A message with additional information about a connection closure.

disconnect-reason - The general reason for a connection closure.

entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation.

entry-rebalancing-base-dn - The base DN for an entry rebalancing operation.

entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing.

entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation.

entry-rebalancing-size-limit - The size limit for an entry rebalancing operation.

entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation.

entry-rebalancing-source-server - The address and port of the source server used for an entry rebalancing operation.

entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation.

entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation.

entry-rebalancing-target-server - The address and port of the target server used for an entry rebalancing operation.

entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation.

export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation.

export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation.

export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria.

export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter.

export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password.

export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output.

export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords.

export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords.

export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation.

export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output.

export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported.

export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation.

extended-request-oid - The request OID for an extended operation.

extended-request-type - The name for an extended request type.

extended-response-oid - The response OID for an extended operation

extended-response-type - The name for an extended response type.

externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation.

generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation.

generate-password-password-generator - The name of the password generator to use for a generate password extended operation.

generate-password-password-policy - The name of the password policy to use for a generate password extended operation.

get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation.

gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind.

gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind.

gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind.

indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit.

indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit.

instance-name - The name of the server instance.

inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind.

inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind.

inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind.

inter-server-component - The name of the component that generated an inter-server request control included in the operation request.

inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control.

inter-server-properties - A string representation of the properties included in an inter-server request control

inter-server-operation-purpose - The operation purpose included in an inter-server request control included in the operation request.

intermediate-client-request - A string representation of an intermediate client request control included in the operation request.

intermediate-client-result - A string representation of an intermediate client response control included in the operation response.

intermediate-response-name - The name of an intermediate response that was returned to the client.

intermediate-response-oid - The OID of an intermediate response that was returned to the client.

intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client.

intermediate-responses-returned - The number of intermediate response messages returned to the client.

issuer-certificate-subject-dn - The subject DN for an issuer certificate included in the client certificate chain presented during TLS negotiation.

ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client.

local-assurance-level - The name of the requested local replication assurance level for the associated operation.

local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation.

matched-dn - The matched DN for the associated operation.

message-id - The numeric message ID for the associated operation.

missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have.

moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation.

moddn-entry-dn - The DN of an entry targeted by a modify DN operation.

moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation.

moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation.

modify-attributes - The names of the attributes targeted by a modify operation.

modify-entry-dn - The DN of an entry targeted by a modify operation.

multi-update-connection-id - The connection ID for an associated multi-update extended operation.

multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation.

multi-update-operation-id - The operation ID for an associated multi-update extended operation.

non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control.

non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them.

oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind.

operation-id - A numeric identifier for the associated operation.

operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation.

operation-purpose - A string representation of an operation purpose request control included in the operation request.

origin - The origin for the associated operation.

pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt.

pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded.

pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password.

password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation.

password-modify-target-entry - The target user DN for a password modify extended operation.

password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation.

password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation.

password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed.

password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored.

password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored.

password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change.

password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password.

password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

peer-certificate-subject-dn - The subject DN for the peer certificate presented in the client certificate chain during TLS negotiation.

ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt.

pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password.

pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation.

processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation.

product-name - The name of the server product that logged the message.

protocol - The name of the protocol the client is using to communicate with the server.

referral-urls - A list of the referral URLs returned in an operation result or a search result reference.

remote-assurance-level - The name of the requested remote replication assurance level for the associated operation.

remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation.

replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation.

replace-certificate-certificate-source - The certificate source for a replace certificate extended operation.

replace-certificate-key-store-error - The key store error for a replace certificate extended operation.

replace-certificate-key-store-path - The key store path for a replace certificate extended operation.

replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation.

replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation.

replace-certificate-tool-error - The tool error for a replace certificate extended operation.

replication-change-id - The replication change ID for the operation.

request-control-oids - The OIDs of the request controls included in the operation request.

requester-dn - The DN of the user that requested the operation.

requester-ip-address - The IP address of the client that requested the operation.

response-control-oids - The OIDs of the response controls included in the operation request.

response-delayed-by-assurance - Indicates whether the response to the operation was delayed by replication assurance processing.

result-code-name - The name of the result code for the associated operation.

result-code-value - The numeric value of the result code for the associated operation.

search-base-dn - The base DN for a search operation.

search-deref-policy - The alias dereferencing policy for a search operation.

search-entries-returned - The number of search result entries that were returned to the client.

search-filter - The filter for a search operation.

search-requested-attributes - The set of requested attributes for a search operation.

search-result-entry-dn - The DN of a search result entry that was returned to the client.

search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client.

search-scope-value - The numeric value of the scope for a search operation.

search-size-limit - The requested size limit for a search operation.

search-time-limit-seconds - The requested time limit (in seconds) for a search operation.

search-types-only - Indicates whether the search operation should return only attribute types or both types and values.

search-unindexed - Indicates whether the search operation was considered unindexed.

server-assurance-results - A list of the replication assurance results from each of the servers.

servers-accessed - A list of the servers accessed during the course of processing the operation.

single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation.

single-use-token-token-id - The token ID for a single-use token extended operation.

single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation.

single-use-token-user-dn - The target user DN for a single-use token extended operation.

startup-id - A unique value generated when the server was started.

streamed-entries-from-index - The name of an index from which search results were streamed.

target-host - The address of a server to which the operation was formatted for processing.

target-port - The port of a server to which the operation was formatted for processing.

target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing.

thread-id - A numeric identifier for the thread that processed the operation.

totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation.

totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation.

triggered-by-connection-id - The connection ID for another operation that triggered the associated operation.

triggered-by-operation-id - The operation ID for another operation that triggered the associated operation.

uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation.

uniqueness-request-control - A string representation of a uniqueness request control.

used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set.

used-privileges - A list of any privileges used in the course of processing the operation.

using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool.

verify-password-request-user-dn - The DN of the user targeted by a verify password extended request.

work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread.

yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation.
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of redact-entire-value-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

redact-entire-value-field-name

Description
The names of any custom fields whose values should be completely redacted. This should generally only be used for fields that are not available through the redact-entire-value-field property (for example, custom log fields defined in Server SDK extensions).
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of redact-entire-value-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

redact-value-components-field

Description
The log fields whose values will include redacted components. Redacting value components is really only possible for fields with the string list, DN, filter, and JSON object syntaxes. For fields with other syntaxes, attempting to redact value components will cause the entire value to be redacted.
For fields with the string list syntax, each item in the list will be replaced with the string "{REDACTED}". For example, a list of three items will appear as "{REDACTED},{REDACTED},{REDACTED}".
For fields with the DN syntax, attribute values may be redacted, but the rest of the DN may remain intact (for example, "uid={REDACTED},ou={REDACTED},dc={REDACTED},dc={REDACTED}"). The same is true for fields with a search filter syntax (for example, "(&(uid={REDACTED})(objectClass={REDACTED}))". In both cases, the syntax may optionally be configured with the names of the attributes to include in or exclude from the redaction so that only certain attributes (or all but certain attributes) will have their values redacted and all other attribute values will be preserved.
For fields with a JSON object syntax, JSON field values may be redacted, but the names of the fields will not be (for example, "{ 'firstName':'{REDACTED}', 'lastName':'{REDACTED}' }"). The syntax may optionally be with the names of the fields to include in or exclude from the redaction so that only certain fields (or all but certain fields) will have their values redacted and all other field values will be preserved. Note that if a JSON field is to be redacted, the value of that field will always be replaced with the string "{REDACTED}", regardless of the data type that the JSON value originally had.
Default Value
None
Allowed Values
abandon-message-id - The message ID for an operation to be abandoned or canceled.

add-attributes - The list of attributes included in an add request.

add-entry-dn - The DN of an entry to be added.

add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation.

additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation.

administrative-operation - The message from an administrative operation request control included in the operation request.

assurance-timeout-millis - The requested replication assurance timeout, in milliseconds.

authorization-dn - The DN used as the alternate authorization identity for an operation.

auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation.

bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token.

bind-authentication-dn - The DN of the user that was authenticated by a bind operation.

bind-authentication-failure-id - The numeric identifier for a general authentication failure reason.

bind-authentication-failure-name - The name of the identifier for a general authentication failure reason.

bind-authentication-failure-reason - The name for a general authentication failure reason.

bind-authentication-type - The name of the authentication type for a bind request.

bind-authorization-dn - The DN of the authorization identity resulting from a bind operation.

bind-dn - The bind DN included in a bind request.

bind-protocol-version - The protocol version specified in a bind request.

bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server.

bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation.

change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry.

cipher - The name of the cipher algorithm that was negotiated for the client connection.

client-connection-policy - The name of the client connection policy that has been assigned to the associated connection.

collect-support-data-comment - A comment provided when invoking the collect support data tool.

collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted.

collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server.

collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump

collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive.

collect-support-data-log-duration - The duration of log messages to include in a collect support data archive.

collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive.

collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive.

collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive.

collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive.

collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive.

collect-support-data-security-level - The security level to use when including data in a collect support data archive.

collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel.

compare-attribute-name - The name of the attribute targeted by a compare operation.

compare-entry-dn - The DN of the entry targeted by a compare operation.

connect-from-address - The address of the client from which a connection has been established.

connect-from-port - The remote client port from which a connection has been established.

connect-to-address - The server address to which a client connection has been established.

connect-to-port - The server port to which a connection has been established.

connection-id - The numeric identifier that the server has assigned to a client connection.

delete-entry-dn - The DN of an entry targeted by a delete operation.

delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation.

deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation.

deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation.

deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation.

deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation.

deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation.

deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation.

diagnostic-message - The diagnostic message for an operation, which is included in the response to the client.

disconnect-message - A message with additional information about a connection closure.

disconnect-reason - The general reason for a connection closure.

entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation.

entry-rebalancing-base-dn - The base DN for an entry rebalancing operation.

entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing.

entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation.

entry-rebalancing-size-limit - The size limit for an entry rebalancing operation.

entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation.

entry-rebalancing-source-server - The address and port of the source server used for an entry rebalancing operation.

entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation.

entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation.

entry-rebalancing-target-server - The address and port of the target server used for an entry rebalancing operation.

entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation.

export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation.

export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation.

export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria.

export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter.

export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password.

export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output.

export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords.

export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords.

export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation.

export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output.

export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported.

export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation.

extended-request-oid - The request OID for an extended operation.

extended-request-type - The name for an extended request type.

extended-response-oid - The response OID for an extended operation

extended-response-type - The name for an extended response type.

externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation.

generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation.

generate-password-password-generator - The name of the password generator to use for a generate password extended operation.

generate-password-password-policy - The name of the password policy to use for a generate password extended operation.

get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation.

gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind.

gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind.

gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind.

indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit.

indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit.

instance-name - The name of the server instance.

inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind.

inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind.

inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind.

inter-server-component - The name of the component that generated an inter-server request control included in the operation request.

inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control.

inter-server-properties - A string representation of the properties included in an inter-server request control

inter-server-operation-purpose - The operation purpose included in an inter-server request control included in the operation request.

intermediate-client-request - A string representation of an intermediate client request control included in the operation request.

intermediate-client-result - A string representation of an intermediate client response control included in the operation response.

intermediate-response-name - The name of an intermediate response that was returned to the client.

intermediate-response-oid - The OID of an intermediate response that was returned to the client.

intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client.

intermediate-responses-returned - The number of intermediate response messages returned to the client.

issuer-certificate-subject-dn - The subject DN for an issuer certificate included in the client certificate chain presented during TLS negotiation.

ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client.

local-assurance-level - The name of the requested local replication assurance level for the associated operation.

local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation.

matched-dn - The matched DN for the associated operation.

message-id - The numeric message ID for the associated operation.

missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have.

moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation.

moddn-entry-dn - The DN of an entry targeted by a modify DN operation.

moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation.

moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation.

modify-attributes - The names of the attributes targeted by a modify operation.

modify-entry-dn - The DN of an entry targeted by a modify operation.

multi-update-connection-id - The connection ID for an associated multi-update extended operation.

multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation.

multi-update-operation-id - The operation ID for an associated multi-update extended operation.

non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control.

non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them.

oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind.

operation-id - A numeric identifier for the associated operation.

operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation.

operation-purpose - A string representation of an operation purpose request control included in the operation request.

origin - The origin for the associated operation.

pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt.

pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded.

pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password.

password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation.

password-modify-target-entry - The target user DN for a password modify extended operation.

password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation.

password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation.

password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed.

password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored.

password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored.

password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change.

password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password.

password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

peer-certificate-subject-dn - The subject DN for the peer certificate presented in the client certificate chain during TLS negotiation.

ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt.

pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password.

pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation.

processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation.

product-name - The name of the server product that logged the message.

protocol - The name of the protocol the client is using to communicate with the server.

referral-urls - A list of the referral URLs returned in an operation result or a search result reference.

remote-assurance-level - The name of the requested remote replication assurance level for the associated operation.

remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation.

replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation.

replace-certificate-certificate-source - The certificate source for a replace certificate extended operation.

replace-certificate-key-store-error - The key store error for a replace certificate extended operation.

replace-certificate-key-store-path - The key store path for a replace certificate extended operation.

replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation.

replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation.

replace-certificate-tool-error - The tool error for a replace certificate extended operation.

replication-change-id - The replication change ID for the operation.

request-control-oids - The OIDs of the request controls included in the operation request.

requester-dn - The DN of the user that requested the operation.

requester-ip-address - The IP address of the client that requested the operation.

response-control-oids - The OIDs of the response controls included in the operation request.

response-delayed-by-assurance - Indicates whether the response to the operation was delayed by replication assurance processing.

result-code-name - The name of the result code for the associated operation.

result-code-value - The numeric value of the result code for the associated operation.

search-base-dn - The base DN for a search operation.

search-deref-policy - The alias dereferencing policy for a search operation.

search-entries-returned - The number of search result entries that were returned to the client.

search-filter - The filter for a search operation.

search-requested-attributes - The set of requested attributes for a search operation.

search-result-entry-dn - The DN of a search result entry that was returned to the client.

search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client.

search-scope-value - The numeric value of the scope for a search operation.

search-size-limit - The requested size limit for a search operation.

search-time-limit-seconds - The requested time limit (in seconds) for a search operation.

search-types-only - Indicates whether the search operation should return only attribute types or both types and values.

search-unindexed - Indicates whether the search operation was considered unindexed.

server-assurance-results - A list of the replication assurance results from each of the servers.

servers-accessed - A list of the servers accessed during the course of processing the operation.

single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation.

single-use-token-token-id - The token ID for a single-use token extended operation.

single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation.

single-use-token-user-dn - The target user DN for a single-use token extended operation.

startup-id - A unique value generated when the server was started.

streamed-entries-from-index - The name of an index from which search results were streamed.

target-host - The address of a server to which the operation was formatted for processing.

target-port - The port of a server to which the operation was formatted for processing.

target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing.

thread-id - A numeric identifier for the thread that processed the operation.

totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation.

totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation.

triggered-by-connection-id - The connection ID for another operation that triggered the associated operation.

triggered-by-operation-id - The operation ID for another operation that triggered the associated operation.

uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation.

uniqueness-request-control - A string representation of a uniqueness request control.

used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set.

used-privileges - A list of any privileges used in the course of processing the operation.

using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool.

verify-password-request-user-dn - The DN of the user targeted by a verify password extended request.

work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread.

yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation.
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of redact-value-components-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

redact-value-components-field-name

Description
The names of any custom fields for which to redact components within the value. This should generally only be used for fields that are not available through the redact-value-components-field property (for example, custom log fields defined in Server SDK extensions).
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of redact-value-components-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

tokenize-entire-value-field

Description
The log fields whose values should be completely tokenized in log messages. The field name will be included, but the value will be replaced with a token that does not reveal the actual value, but that is generated from the value. If the same value appears multiple times in the log, then the same token will be used each time that value appears so that it will be possible to identify log messages for operations using that same value even if the value itself is not revealed.
If possible, tokenized values will conform to the syntax used for the associated log field. The redacted values for each supported syntax include:
  • For fields with a string, string list, and Boolean syntax, the redacted value will be "{TOKENIZED:token-value}" (where "token-value" will be replaced with the generated token string computed from the actual value). Unfortunately, it isn't possible to tokenize a Boolean value in a way that preserves the syntax (and Boolean values aren't well suited to tokenization anyway, given that there are only two possible values, so it would likely not be difficult to identify the token that corresponds to each value).
  • For fields with a DN syntax, the tokenized value will be "tokenized={TOKENIZED:token-value}" (where "token-value" will be replaced with the generated token string computed from the actual value).
  • For fields with a filter syntax, the tokenized value will be "(tokenized={TOKENIZED:token-value})" (where "token-value" will be replaced with the generated token string computed from the actual value).
  • For fields with a JSON object syntax, the redacted value will be "{ 'tokenized':'{TOKENIZED:token-value}' }" (where "token-value" will be replaced with the generated token string computed from the actual value).
  • For fields with an integer syntax, the redacted value will be -999999999token-value (where token-value will be replaced with a nine-digit number generated from the original integer value, like -999999999836712650).
  • For fields with a floating-point number syntax, the redacted value will be -999999.token-value (where token-value will be replaced with a six-digit number generated from the original floating-point value, like -999999.738231).
  • For fields with the generalized time or RFC 3339 timestamp syntaxes, the redacted value will use a year of 8888, with the remainder of the timestamp generated from the original value (for example, "88880821174803.163Z" for generalized time values or "8888-08-21T17:48:03.163Z" for RFC 3339 timestamp values).

Default Value
None
Allowed Values
abandon-message-id - The message ID for an operation to be abandoned or canceled.

add-attributes - The list of attributes included in an add request.

add-entry-dn - The DN of an entry to be added.

add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation.

additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation.

administrative-operation - The message from an administrative operation request control included in the operation request.

assurance-timeout-millis - The requested replication assurance timeout, in milliseconds.

authorization-dn - The DN used as the alternate authorization identity for an operation.

auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation.

bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token.

bind-authentication-dn - The DN of the user that was authenticated by a bind operation.

bind-authentication-failure-id - The numeric identifier for a general authentication failure reason.

bind-authentication-failure-name - The name of the identifier for a general authentication failure reason.

bind-authentication-failure-reason - The name for a general authentication failure reason.

bind-authentication-type - The name of the authentication type for a bind request.

bind-authorization-dn - The DN of the authorization identity resulting from a bind operation.

bind-dn - The bind DN included in a bind request.

bind-protocol-version - The protocol version specified in a bind request.

bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server.

bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation.

change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry.

cipher - The name of the cipher algorithm that was negotiated for the client connection.

client-connection-policy - The name of the client connection policy that has been assigned to the associated connection.

collect-support-data-comment - A comment provided when invoking the collect support data tool.

collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted.

collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server.

collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump

collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive.

collect-support-data-log-duration - The duration of log messages to include in a collect support data archive.

collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive.

collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive.

collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive.

collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive.

collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive.

collect-support-data-security-level - The security level to use when including data in a collect support data archive.

collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel.

compare-attribute-name - The name of the attribute targeted by a compare operation.

compare-entry-dn - The DN of the entry targeted by a compare operation.

connect-from-address - The address of the client from which a connection has been established.

connect-from-port - The remote client port from which a connection has been established.

connect-to-address - The server address to which a client connection has been established.

connect-to-port - The server port to which a connection has been established.

connection-id - The numeric identifier that the server has assigned to a client connection.

delete-entry-dn - The DN of an entry targeted by a delete operation.

delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation.

deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation.

deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation.

deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation.

deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation.

deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation.

deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation.

diagnostic-message - The diagnostic message for an operation, which is included in the response to the client.

disconnect-message - A message with additional information about a connection closure.

disconnect-reason - The general reason for a connection closure.

entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation.

entry-rebalancing-base-dn - The base DN for an entry rebalancing operation.

entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing.

entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation.

entry-rebalancing-size-limit - The size limit for an entry rebalancing operation.

entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation.

entry-rebalancing-source-server - The address and port of the source server used for an entry rebalancing operation.

entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation.

entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation.

entry-rebalancing-target-server - The address and port of the target server used for an entry rebalancing operation.

entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation.

export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation.

export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation.

export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria.

export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter.

export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password.

export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output.

export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords.

export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords.

export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation.

export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output.

export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported.

export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation.

extended-request-oid - The request OID for an extended operation.

extended-request-type - The name for an extended request type.

extended-response-oid - The response OID for an extended operation

extended-response-type - The name for an extended response type.

externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation.

generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation.

generate-password-password-generator - The name of the password generator to use for a generate password extended operation.

generate-password-password-policy - The name of the password policy to use for a generate password extended operation.

get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation.

gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind.

gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind.

gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind.

indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit.

indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit.

instance-name - The name of the server instance.

inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind.

inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind.

inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind.

inter-server-component - The name of the component that generated an inter-server request control included in the operation request.

inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control.

inter-server-properties - A string representation of the properties included in an inter-server request control

inter-server-operation-purpose - The operation purpose included in an inter-server request control included in the operation request.

intermediate-client-request - A string representation of an intermediate client request control included in the operation request.

intermediate-client-result - A string representation of an intermediate client response control included in the operation response.

intermediate-response-name - The name of an intermediate response that was returned to the client.

intermediate-response-oid - The OID of an intermediate response that was returned to the client.

intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client.

intermediate-responses-returned - The number of intermediate response messages returned to the client.

issuer-certificate-subject-dn - The subject DN for an issuer certificate included in the client certificate chain presented during TLS negotiation.

ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client.

local-assurance-level - The name of the requested local replication assurance level for the associated operation.

local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation.

matched-dn - The matched DN for the associated operation.

message-id - The numeric message ID for the associated operation.

missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have.

moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation.

moddn-entry-dn - The DN of an entry targeted by a modify DN operation.

moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation.

moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation.

modify-attributes - The names of the attributes targeted by a modify operation.

modify-entry-dn - The DN of an entry targeted by a modify operation.

multi-update-connection-id - The connection ID for an associated multi-update extended operation.

multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation.

multi-update-operation-id - The operation ID for an associated multi-update extended operation.

non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control.

non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them.

oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind.

operation-id - A numeric identifier for the associated operation.

operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation.

operation-purpose - A string representation of an operation purpose request control included in the operation request.

origin - The origin for the associated operation.

pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt.

pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded.

pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password.

password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation.

password-modify-target-entry - The target user DN for a password modify extended operation.

password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation.

password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation.

password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed.

password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored.

password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored.

password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change.

password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password.

password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

peer-certificate-subject-dn - The subject DN for the peer certificate presented in the client certificate chain during TLS negotiation.

ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt.

pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password.

pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation.

processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation.

product-name - The name of the server product that logged the message.

protocol - The name of the protocol the client is using to communicate with the server.

referral-urls - A list of the referral URLs returned in an operation result or a search result reference.

remote-assurance-level - The name of the requested remote replication assurance level for the associated operation.

remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation.

replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation.

replace-certificate-certificate-source - The certificate source for a replace certificate extended operation.

replace-certificate-key-store-error - The key store error for a replace certificate extended operation.

replace-certificate-key-store-path - The key store path for a replace certificate extended operation.

replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation.

replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation.

replace-certificate-tool-error - The tool error for a replace certificate extended operation.

replication-change-id - The replication change ID for the operation.

request-control-oids - The OIDs of the request controls included in the operation request.

requester-dn - The DN of the user that requested the operation.

requester-ip-address - The IP address of the client that requested the operation.

response-control-oids - The OIDs of the response controls included in the operation request.

response-delayed-by-assurance - Indicates whether the response to the operation was delayed by replication assurance processing.

result-code-name - The name of the result code for the associated operation.

result-code-value - The numeric value of the result code for the associated operation.

search-base-dn - The base DN for a search operation.

search-deref-policy - The alias dereferencing policy for a search operation.

search-entries-returned - The number of search result entries that were returned to the client.

search-filter - The filter for a search operation.

search-requested-attributes - The set of requested attributes for a search operation.

search-result-entry-dn - The DN of a search result entry that was returned to the client.

search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client.

search-scope-value - The numeric value of the scope for a search operation.

search-size-limit - The requested size limit for a search operation.

search-time-limit-seconds - The requested time limit (in seconds) for a search operation.

search-types-only - Indicates whether the search operation should return only attribute types or both types and values.

search-unindexed - Indicates whether the search operation was considered unindexed.

server-assurance-results - A list of the replication assurance results from each of the servers.

servers-accessed - A list of the servers accessed during the course of processing the operation.

single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation.

single-use-token-token-id - The token ID for a single-use token extended operation.

single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation.

single-use-token-user-dn - The target user DN for a single-use token extended operation.

startup-id - A unique value generated when the server was started.

streamed-entries-from-index - The name of an index from which search results were streamed.

target-host - The address of a server to which the operation was formatted for processing.

target-port - The port of a server to which the operation was formatted for processing.

target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing.

thread-id - A numeric identifier for the thread that processed the operation.

totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation.

totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation.

triggered-by-connection-id - The connection ID for another operation that triggered the associated operation.

triggered-by-operation-id - The operation ID for another operation that triggered the associated operation.

uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation.

uniqueness-request-control - A string representation of a uniqueness request control.

used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set.

used-privileges - A list of any privileges used in the course of processing the operation.

using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool.

verify-password-request-user-dn - The DN of the user targeted by a verify password extended request.

work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread.

yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation.
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of tokenize-entire-value-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

tokenize-entire-value-field-name

Description
The names of any custom fields whose values should be completely tokenized. This should generally only be used for fields that are not available through the tokenize-entire-value-field property (for example, custom log fields defined in Server SDK extensions).
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of tokenize-entire-value-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

tokenize-value-components-field

Description
The log fields whose values will include tokenized components. Tokenizing value components is really only possible for fields with the string list, DN, filter, and JSON object syntaxes. For fields with other syntaxes, attempting to tokenize value components will cause the entire value to be tokenized.
For fields with the string list syntax, each item in the list will be tokenized individually. For example, a list of two items will appear as "{TOKENIZED:token-value-1},{TOKENIZED:token-value-1}".
For fields with the DN syntax, attribute values may be tokenized, but the rest of the DN may remain intact (for example, "dc={TOKENIZED:token-value-1},dc={TOKENIZED:token-value-2}"). The same is true for fields with a search filter syntax (for example, "(&(uid={TOKENIZED:token-value-1})(objectClass={TOKENIZED:token-value-2}))". In both cases, the syntax may optionally be configured with the names of the attributes to include in or exclude from the tokenization so that only certain attributes (or all but certain attributes) will have their values tokenized and all other attribute values will be preserved.
For fields with a JSON object syntax, JSON field values may be tokenized, but the names of the fields will not be (for example, "{ 'firstName':'{TOKENIZED:token-value-1}', 'lastName':'{TOKENIZED:token-value-2}' }"). The syntax may optionally be configured with the names of the fields to include in or exclude from the tokenization so that only certain fields (or all but certain fields) will have their values tokenized. Note that if a JSON field is to be tokenized, the value of that field will always be replaced with a generated string, regardless of the data type that the JSON value originally had.
Default Value
None
Allowed Values
abandon-message-id - The message ID for an operation to be abandoned or canceled.

add-attributes - The list of attributes included in an add request.

add-entry-dn - The DN of an entry to be added.

add-undelete-from-dn - The DN of the soft-deleted entry being undeleted by an add operation.

additional-info - A message with additional information (that is not returned to the client) about the server's processing for the associated operation.

administrative-operation - The message from an administrative operation request control included in the operation request.

assurance-timeout-millis - The requested replication assurance timeout, in milliseconds.

authorization-dn - The DN used as the alternate authorization identity for an operation.

auto-authenticated-as - The DN of the user that was automatically authenticated to the server based on a client certificate chain presented during TLS negotiation.

bind-access-token-original-authentication-type - The authentication type for the original bind operation used to obtain a bind access token.

bind-authentication-dn - The DN of the user that was authenticated by a bind operation.

bind-authentication-failure-id - The numeric identifier for a general authentication failure reason.

bind-authentication-failure-name - The name of the identifier for a general authentication failure reason.

bind-authentication-failure-reason - The name for a general authentication failure reason.

bind-authentication-type - The name of the authentication type for a bind request.

bind-authorization-dn - The DN of the authorization identity resulting from a bind operation.

bind-dn - The bind DN included in a bind request.

bind-protocol-version - The protocol version specified in a bind request.

bind-retired-password-used - Indicates whether a retired password was used to authenticate to the server.

bind-sasl-mechanism - The name of the SASL mechanism used in a bind operation.

change-to-soft-deleted-entry - Indicates whether the associated operation updated or removed a soft-deleted entry.

cipher - The name of the cipher algorithm that was negotiated for the client connection.

client-connection-policy - The name of the client connection policy that has been assigned to the associated connection.

collect-support-data-comment - A comment provided when invoking the collect support data tool.

collect-support-data-encrypted - Indicates whether a collect support data archive should be encrypted.

collect-support-data-include-binary-files - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-expensive-data - Indicates whether a collect support data archive should include data that may be expensive to collect.

collect-support-data-include-extension-source - Indicates whether a collect support data archive should include source code (if available) for any third-party extensions that may be configured in the server.

collect-support-data-include-replication-state-dump - Indicates whether a collect support data archive should include a replication state dump

collect-support-data-jstack-count - The number of jstacks to include in a collect support data archive.

collect-support-data-log-duration - The duration of log messages to include in a collect support data archive.

collect-support-data-log-file-head-collection-size-kb - The amount of data from the beginning of each log file included in a collect support data archive.

collect-support-data-log-file-tail-collection-size-kb - The amount of data from the end of each log file included in a collect support data archive.

collect-support-data-log-time-window - The time window for log file content to include in a collect support data archive.

collect-support-data-report-count - The number of intervals for interval-based metrics to include in a collect support data archive.

collect-support-data-report-interval-seconds - The duration of each report interval (in seconds) for interval-based metrics to include in a collect support data archive.

collect-support-data-security-level - The security level to use when including data in a collect support data archive.

collect-support-data-use-sequential-mode - Indicates whether collect support data information should be collected sequentially rather than in parallel.

compare-attribute-name - The name of the attribute targeted by a compare operation.

compare-entry-dn - The DN of the entry targeted by a compare operation.

connect-from-address - The address of the client from which a connection has been established.

connect-from-port - The remote client port from which a connection has been established.

connect-to-address - The server address to which a client connection has been established.

connect-to-port - The server port to which a connection has been established.

connection-id - The numeric identifier that the server has assigned to a client connection.

delete-entry-dn - The DN of an entry targeted by a delete operation.

delete-soft-deleted-entry-dn - The DN of a soft-deleted entry resulting from a delete operation.

deliver-otp-authentication-id - The authentication ID for a deliver one-time password extended operation.

deliver-otp-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver one-time password extended operation.

deliver-password-reset-token-dn - The DN of the target user for a deliver password reset token extended operation.

deliver-password-reset-token-preferred-delivery-mechanisms - The set of preferred delivery mechanisms for a deliver password reset token extended operation.

deliver-password-reset-token-successful-delivery-mechanism - The successful delivery mechanism for a deliver password reset token extended operation.

deliver-password-reset-token-unsuccessful-delivery-mechanisms - The set of unsuccessful delivery mechanisms for a deliver password reset token extended operation.

diagnostic-message - The diagnostic message for an operation, which is included in the response to the client.

disconnect-message - A message with additional information about a connection closure.

disconnect-reason - The general reason for a connection closure.

entry-rebalancing-admin-action-message - A message about any administrative action that may be required after an entry rebalancing operation.

entry-rebalancing-base-dn - The base DN for an entry rebalancing operation.

entry-rebalancing-entries-added-to-target - The number of entries added to the target server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-deleted-from-source - The number of entries deleted from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-entries-read-from-source - The number of entries retrieved from the source server in the course of processing an entry rebalancing operation.

entry-rebalancing-error-message - A message with information about an error that occurred during entry rebalancing processing.

entry-rebalancing-operation-id - The operation ID for an entry rebalancing operation.

entry-rebalancing-size-limit - The size limit for an entry rebalancing operation.

entry-rebalancing-source-backend-set - The name of the source backend set for an entry rebalancing operation.

entry-rebalancing-source-server - The address and port of the source server used for an entry rebalancing operation.

entry-rebalancing-source-server-altered - Indicates whether the source server was altered in the course of processing an entry rebalancing operation.

entry-rebalancing-target-backend-set - The name of the target backend set for an entry rebalancing operation.

entry-rebalancing-target-server - The address and port of the target server used for an entry rebalancing operation.

entry-rebalancing-target-server-altered - Indicates whether the target server was altered in the course of processing an entry rebalancing operation.

export-reversible-passwords-backend-id - The name of the target backend ID for an export reversible passwords extended operation.

export-reversible-passwords-encryption-settings-definition-id - The ID of the encryption settings definition used by an export reversible passwords extended operation.

export-reversible-passwords-entries-excluded-not-matching-base-dn - The number of entries excluded by an export reversible passwords extended operation because they did not match the provided include or excluded base DN criteria.

export-reversible-passwords-entries-excluded-not-matching-filter - The number of entries excluded by an export reversible passwords extended operation because they did not match a provided filter.

export-reversible-passwords-entries-excluded-without-passwords - The number of entries excluded by an export reversible passwords extended operation because they did not include a password.

export-reversible-passwords-entries-exported-with-non-reversible-passwords - The number of entries with non-reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-with-reversible-passwords - The number of entries with reversible passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-entries-exported-without-passwords - The number of entries without passwords that were included in an export reversible passwords extended operation.

export-reversible-passwords-exclude-base-dn - A base DN for entries that should be excluded from the export-reversible-passwords output.

export-reversible-passwords-export-non-reversible-passwords - Indicates whether an export reversible passwords extended operation should include non-reversible passwords.

export-reversible-passwords-export-only-entries-with-passwords - Indicates whether an export reversible passwords extended operation should include only entries that include passwords.

export-reversible-passwords-filter - A filter to used to identify entries to include in an export reversible passwords extended operation.

export-reversible-passwords-include-base-dn - A base DN for entries that should be included in the export-reversible-passwords output.

export-reversible-passwords-include-virtual-attributes - Indicates whether an export reversible passwords extended operation should include virtual attributes in the entries that are exported.

export-reversible-passwords-output-file - The path to the output file written by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-examined - The total number of entries examined by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-excluded - The total number of entries excluded by an export reversible passwords extended operation.

export-reversible-passwords-total-entries-exported - The total number of entries exported by an export reversible passwords extended operation.

extended-request-oid - The request OID for an extended operation.

extended-request-type - The name for an extended request type.

extended-response-oid - The response OID for an extended operation

extended-response-type - The name for an extended response type.

externally-processed-bind-authentication-id - The authentication ID for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-auth-failure-reason - The authentication failure reason for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-end-client-ip-address - The end client IP address for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-external-mechanism-name - The name of the authentication method used for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-password-based - Indicates whether the authentication was password-based for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-secure - Indicates whether the authentication was secure for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

externally-processed-bind-was-successful - Indicates whether the authentication was successful for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL bind.

generate-password-num-passwords - The number of passwords that should be generated by a generate password extended operation.

generate-password-max-validation-attempts - The maximum number of attempts that should be made to generate a password that satisfies the configured set of password validators in a generate password extended operation.

generate-password-password-generator - The name of the password generator to use for a generate password extended operation.

generate-password-password-policy - The name of the password policy to use for a generate password extended operation.

get-supported-otp-delivery-mechanisms-dn - The DN of the user targeted by a get supported OTP delivery mechanisms extended operation.

gssapi-bind-qop - The quality of protection (QoP) value for a GSSAPI SASL bind.

gssapi-bind-requested-authentication-id - The requested authentication ID value for a GSSAPI SASL bind.

gssapi-bind-requested-authorization-id - The requested authorization ID value for a GSSAPI SASL bind.

indexes-with-keys-accessed-exceeding-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys that exceeded the index entry limit.

indexes-with-keys-accessed-near-entry-limit - The names of indexes accessed in the course of processing the operation that touched keys near the index entry limit.

instance-name - The name of the server instance.

inter-server-bind-connection-privileges - The list of requested privileges for an inter-server SASL bind.

inter-server-bind-connection-purpose - The connection purpose for an inter-server SASL bind.

inter-server-bind-source-certificate-subject - The subject DN of the source server's certificate for an inter-server SASL bind.

inter-server-component - The name of the component that generated an inter-server request control included in the operation request.

inter-server-control-forwarded-client-connection-policy - The client connection policy name that was forwarded to a backend server by in inter-server request control.

inter-server-properties - A string representation of the properties included in an inter-server request control

inter-server-operation-purpose - The operation purpose included in an inter-server request control included in the operation request.

intermediate-client-request - A string representation of an intermediate client request control included in the operation request.

intermediate-client-result - A string representation of an intermediate client response control included in the operation response.

intermediate-response-name - The name of an intermediate response that was returned to the client.

intermediate-response-oid - The OID of an intermediate response that was returned to the client.

intermediate-response-value - A string representation of the value for an intermediate response that was returned to the client.

intermediate-responses-returned - The number of intermediate response messages returned to the client.

issuer-certificate-subject-dn - The subject DN for an issuer certificate included in the client certificate chain presented during TLS negotiation.

ldap-client-decode-error-message - An error message encountered while decoding a request from an LDAP client.

local-assurance-level - The name of the requested local replication assurance level for the associated operation.

local-assurance-satisfied - Indicates whether the requested local replication assurance level was satisfied in the course of processing the operation.

matched-dn - The matched DN for the associated operation.

message-id - The numeric message ID for the associated operation.

missing-privileges - The names of any privileges that were required for the associated operation that the requester did not have.

moddn-delete-old-rdn - Indicates whether the old RDN attribute values should be removed from the entry in the course of processing a modify DN operation.

moddn-entry-dn - The DN of an entry targeted by a modify DN operation.

moddn-new-rdn - The new RDN to use for an entry targeted by a modify DN operation.

moddn-new-superior-dn - The DN of the new superior entry to use for an entry targeted by a modify DN operation.

modify-attributes - The names of the attributes targeted by a modify operation.

modify-entry-dn - The DN of an entry targeted by a modify operation.

multi-update-connection-id - The connection ID for an associated multi-update extended operation.

multi-update-first-failed-operation - A string representation of the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-error-message - The error message for the first failed operation for an associated multi-update extended operation.

multi-update-first-failed-operation-result-code - The result code value of the first failed operation for an associated multi-update extended operation.

multi-update-operation-id - The operation ID for an associated multi-update extended operation.

non-critical-json-formatted-request-control-decode-errors - Information about errors encountered while attempting to decode one or more non-critical controls embedded in a JSON-formatted request control.

non-critical-request-controls-ignored-due-to-acl - The OIDs of any non-critical request controls that were ignored because the requester did not have access control permission to use them.

oauthbearer-bind-access-token-client-id - The client ID for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-expiration-time - The expiration time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identifier - The identifier for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-identity-mapper - The name of the identity mapper used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-is-active - Indicates whether the access token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-access-token-issued-at - The issued at time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-issuer - The issuer for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-not-before - The not before time for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-owner - The owner for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-scope - The list of scopes for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-subject - The subject for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-type - The type for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-username - The username for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-access-token-validator - The name of the access token validator used for the access token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-error-code - The authorization error code for an OAUTHBEARER SASL bind.

oauthbearer-bind-authorization-id - The authorization ID for an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-client-id - The client ID for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-expiration-time - The expiration time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identifier - The identifier for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-identity-mapper - The name of the identity mapper used for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-is-active - Indicates whether the ID token provided to an OAUTHBEARER SASL bind is active.

oauthbearer-bind-id-token-issued-at - The issued at time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-issuer - The issuer for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-not-before - The not before time for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-owner - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-subject - The owner for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-type - The type for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-username - The username for the ID token provided to an OAUTHBEARER SASL bind.

oauthbearer-bind-id-token-validator - The name of the validator used for the ID token provided to an OAUTHBEARER SASL bind.

operation-id - A numeric identifier for the associated operation.

operation-oauth-scopes - The set of OAuth scopes that have been associated with an operation.

operation-purpose - A string representation of an operation purpose request control included in the operation request.

origin - The origin for the associated operation.

pass-through-authentication-mapped-dn - The mapped user DN for a pass-through authentication attempt.

pass-through-authentication-succeeded - Indicates whether a pass-through authentication attempt succeeded.

pass-through-authentication-updated-local-password - Indicates whether a pass-through authentication attempt updated the local password.

password-modify-grace-login-used - Indicates whether a grace login was used to authenticate for a password modify extended operation.

password-modify-target-entry - The target user DN for a password modify extended operation.

password-modify-used-password-reset-token - Indicates whether a password reset token was used to authenticate for a password modify extended operation.

password-policy-state-entry-dn - The DN of the target entry for a password policy state extended operation.

password-update-behavior-allow-pre-encoded-password - Indicates whether a password update behavior control indicates that a pre-encoded password should be allowed.

password-update-behavior-ignore-minimum-password-age - Indicates whether a password update behavior control indicates that the minimum password age should be ignored.

password-update-behavior-ignore-password-history - Indicates whether a password update behavior control indicates that the user's password history should be ignored.

password-update-behavior-is-self-change - Indicates whether a password update behavior control indicates that the operation should be processed as a self change.

password-update-behavior-must-change-password - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

password-update-behavior-password-storage-scheme - The name of the password storage scheme that a password update behavior control indicates should be used to encode the new password.

password-update-behavior-skip-password-validation - Indicates whether a password update behavior control indicates that the user must be forced to choose a new password on the next authentication attempt.

peer-certificate-subject-dn - The subject DN for the peer certificate presented in the client certificate chain during TLS negotiation.

ping-one-pass-through-authentication-auth-failure-reason - The authentication failure reason for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-mapped-id - The mapped user ID for a PingOne pass-through authentication attempt.

ping-one-pass-through-authentication-updated-local-user-password - Indicates whether the local user's password was updated by a PingOne pass-through authentication attempt.

pluggable-pass-through-authentication-failure-reason - The authentication failure reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-mapped-user-identifier - The mapped user identifier reason for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-result-code - The result code for a pluggable pass-through authentication attempt.

pluggable-pass-through-authentication-updated-local-user-password - Indicates whether a pluggable pass-through authentication attempt updated the local user's password.

pre-authorization-used-privileges - The names of the pre-authorization privilges used in the course of processing an operation.

processing-time-millis - The length of time, in milliseconds, that a worker thread spent processing the operation.

product-name - The name of the server product that logged the message.

protocol - The name of the protocol the client is using to communicate with the server.

referral-urls - A list of the referral URLs returned in an operation result or a search result reference.

remote-assurance-level - The name of the requested remote replication assurance level for the associated operation.

remote-assurance-satisfied - Indicates whether the requested remote replication assurance level was satisfied in the course of processing the operation.

replace-certificate-certificate-decode-error - The certificate decode error for a replace certificate extended operation.

replace-certificate-certificate-source - The certificate source for a replace certificate extended operation.

replace-certificate-key-store-error - The key store error for a replace certificate extended operation.

replace-certificate-key-store-path - The key store path for a replace certificate extended operation.

replace-certificate-private-key-decode-error - The private key decode error for a replace certificate extended operation.

replace-certificate-request-decode-error - The request decode error for a replace certificate extended operation.

replace-certificate-tool-error - The tool error for a replace certificate extended operation.

replication-change-id - The replication change ID for the operation.

request-control-oids - The OIDs of the request controls included in the operation request.

requester-dn - The DN of the user that requested the operation.

requester-ip-address - The IP address of the client that requested the operation.

response-control-oids - The OIDs of the response controls included in the operation request.

response-delayed-by-assurance - Indicates whether the response to the operation was delayed by replication assurance processing.

result-code-name - The name of the result code for the associated operation.

result-code-value - The numeric value of the result code for the associated operation.

search-base-dn - The base DN for a search operation.

search-deref-policy - The alias dereferencing policy for a search operation.

search-entries-returned - The number of search result entries that were returned to the client.

search-filter - The filter for a search operation.

search-requested-attributes - The set of requested attributes for a search operation.

search-result-entry-dn - The DN of a search result entry that was returned to the client.

search-result-entry-attributes - The names of the attributes included in a search result entry that was returned to the client.

search-scope-value - The numeric value of the scope for a search operation.

search-size-limit - The requested size limit for a search operation.

search-time-limit-seconds - The requested time limit (in seconds) for a search operation.

search-types-only - Indicates whether the search operation should return only attribute types or both types and values.

search-unindexed - Indicates whether the search operation was considered unindexed.

server-assurance-results - A list of the replication assurance results from each of the servers.

servers-accessed - A list of the servers accessed during the course of processing the operation.

single-use-token-successful-delivery-mechanism - The name of the successful delivery mechanism for a single-use token extended operation.

single-use-token-token-id - The token ID for a single-use token extended operation.

single-use-token-unsuccessful-delivery-mechanisms - The names of the successful delivery mechanisms attempted for a single-use token extended operation.

single-use-token-user-dn - The target user DN for a single-use token extended operation.

startup-id - A unique value generated when the server was started.

streamed-entries-from-index - The name of an index from which search results were streamed.

target-host - The address of a server to which the operation was formatted for processing.

target-port - The port of a server to which the operation was formatted for processing.

target-protocol - The protocol used to communicate with a server to which the operation was formatted for processing.

thread-id - A numeric identifier for the thread that processed the operation.

totp-shared-secret-authentication-id - The authentication ID for a TOTP shared secret extended operation.

totp-shared-secret-static-password-provided - Indicates whether a static password was provided for a TOTP shared secret extended operation.

triggered-by-connection-id - The connection ID for another operation that triggered the associated operation.

triggered-by-operation-id - The operation ID for another operation that triggered the associated operation.

uncached-data-accessed - Indicates whether the server accessed any uncached data in the course of processing the operation.

uniqueness-request-control - A string representation of a uniqueness request control.

used-cached-paged-results-id-set - Indicates whether a search processed with the simple paged results request control used a cached candidate ID set.

used-privileges - A list of any privileges used in the course of processing the operation.

using-admin-session-worker-thread - Indicates whether the operation is being processed using a worker thread from an administrative operation thread pool.

verify-password-request-user-dn - The DN of the user targeted by a verify password extended request.

work-queue-wait-time-millis - The length of time, in milliseconds, that the operation had to wait in the work queue before being picked up by a worker thread.

yubikey-otp-bind-authentication-id - The authentication ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-bind-authorization-id - The authorization ID for an UNBOUNDID-YUBIKEY-OTP SASL bind.

yubikey-otp-device-authentication-id - The authentication ID for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-static-password-provided - Indicates whether a static password was provided for a register or deregister YubiKey OTP device extended operation.

yubikey-otp-device-yubikey-public-id - The public ID of the associated YubiKey device for a register or deregister YubiKey OTP device extended operation.
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of tokenize-value-components-field values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.

tokenize-value-components-field-name

Description
The names of any custom fields for which to tokenize components within the value. This should generally only be used for fields that are not available through the tokenize-value-components-field property (for example, custom log fields defined in Server SDK extensions).
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
The Text Access Log Field Behavior must be disabled and re-enabled for changes to this setting to take effect. Any changes made to the set of tokenize-value-components-field-name values will not take effect until the server is restarted or access loggers configured to use it have been disabled and re-enabled.


dsconfig Usage

To list the configured Log Field Behaviors:

dsconfig list-log-field-behaviors
     [--property {propertyName}] ...

To view the configuration for an existing Log Field Behavior:

dsconfig get-log-field-behavior-prop
     --behavior-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Log Field Behavior:

dsconfig set-log-field-behavior-prop
     --behavior-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Text Access Log Field Behavior:

dsconfig create-log-field-behavior
     --behavior-name {name}
     --type text-access
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Log Field Behavior:

dsconfig delete-log-field-behavior
     --behavior-name {name}