(Copied from case verbatim)

Given the newer security log is in a JSON format, could we consider an optional access logging format that would consolidate relevant log information into a structured format? I wouldn't even necessarily suggest this become a default change, but first an option to change to this style of logging.

Example: If there is RESULT entry from a bind failure, I have to find the corresponding BIND operation line to find the DN, and then find the first line for the host's "conn=" to find the source IP. Having certain details repeated (like the connection IP in addition to the internal connection number), is a substantial improvement in usability at the cost of some increased disk IO and storage.

(Simiarly, high etime (unindexed) searches can have many other log entries between the SRCH line and the RESULT line.)