Access Log Filtering Criteria

A set of rules which together determine whether a log record should be logged or not.

Dependencies

The following objects have Access Log Filtering Criteria:

Access Log Filtering Criteria Properties

You can use configuration expressions to set property values at startup time. For details, see Property Value Substitution.

Basic Properties

connection-client-address-equal-to
connection-client-address-not-equal-to
connection-port-equal-to
connection-protocol-equal-to
log-record-type
request-target-dn-equal-to
request-target-dn-not-equal-to
response-etime-greater-than
response-etime-less-than
response-result-code-equal-to
response-result-code-not-equal-to
search-response-is-indexed
search-response-nentries-greater-than
search-response-nentries-less-than
user-dn-equal-to
user-dn-not-equal-to
user-is-member-of
user-is-not-member-of

Basic Properties

Use the --advanced option to access advanced properties.

connection-client-address-equal-to

Synopsis

Filters log records associated with connections which match at least one of the specified client host names or address masks.

Description

Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

None

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-client-address-not-equal-to

Synopsis

Filters log records associated with connections which do not match any of the specified client host names or address masks.

Description

Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

None

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-port-equal-to

Synopsis

Filters log records associated with connections to any of the specified listener port numbers.

Default Value

None

Allowed Values

An integer.

Lower limit: 1.

Upper limit: 65535.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-protocol-equal-to

Synopsis

Filters log records associated with connections which match any of the specified protocols.

Description

Typical values include "ldap", "ldaps", or "jmx".

Default Value

None

Allowed Values

The protocol name as reported in the access log.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

log-record-type

Synopsis

Filters log records based on their type.

Default Value

None

Allowed Values

  • abandon: Abandon operations

  • add: Add operations

  • bind: Bind operations

  • compare: Compare operations

  • connect: Client connections

  • delete: Delete operations

  • disconnect: Client disconnections

  • extended: Extended operations

  • modify: Modify operations

  • rename: Rename operations

  • search: Search operations

  • unbind: Unbind operations

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

request-target-dn-equal-to

Synopsis

Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns.

Description

Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

request-target-dn-not-equal-to

Synopsis

Filters operation log records associated with operations which target entries matching none of the specified DN patterns.

Description

Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

response-etime-greater-than

Synopsis

Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete.

Description

It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

response-etime-less-than

Synopsis

Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete.

Description

It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

response-result-code-equal-to

Synopsis

Filters operation response log records associated with operations which include any of the specified result codes.

Description

It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

response-result-code-not-equal-to

Synopsis

Filters operation response log records associated with operations which do not include any of the specified result codes.

Description

It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

search-response-is-indexed

Synopsis

Filters search operation response log records associated with searches which were either indexed or unindexed.

Description

It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

search-response-nentries-greater-than

Synopsis

Filters search operation response log records associated with searches which returned more than the specified number of entries.

Description

It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

search-response-nentries-less-than

Synopsis

Filters search operation response log records associated with searches which returned less than the specified number of entries.

Description

It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-dn-equal-to

Synopsis

Filters log records associated with users matching at least one of the specified DN patterns.

Description

Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-dn-not-equal-to

Synopsis

Filters log records associated with users which do not match any of the specified DN patterns.

Description

Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-is-member-of

Synopsis

Filters log records associated with users which are members of at least one of the specified groups.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-is-not-member-of

Synopsis

Filters log records associated with users which are not members of any of the specified groups.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No