Configuration settings

The Neo4j configuration settings are set in neo4j.conf. Refer to The neo4j.conf file for details on how to use configuration settings.

Dynamic configuration settings

Dynamic settings can be changed at runtime, without restarting the service.

Dynamic settings are labeled Dynamic.

Changes to the configuration at runtime are not persisted. To avoid losing changes when restarting Neo4j, make sure you update neo4j.conf as well.

In a clustered environment, CALL dbms.setConfigValue affects only the server it is run against, and it is not propagated to other members. If you want to change the configuration settings on all cluster members, you have to run the procedure against each of them and update their neo4j.conf file.

Each member of the cluster has its own neo4j.conf file. It is recommended that the settings for a database are the same across all members of the cluster.

For more information on how to update dynamic configuration settings, see Update dynamic settings.

Checkpoint settings

Checkpointing is the process of flushing all pending page updates from the page cache to the store files. This is done periodically and is used to recover the database in case of a crash. The checkpoint settings control the frequency of checkpoints, and the amount of data that is written to disk in each checkpoint. See also, Transaction log settings.

db.checkpoint

Table 1. db.checkpoint

Description

Configures the general policy for when checkpoints should occur. Possible values are:

Valid values

One of [PERIODIC, CONTINUOUS, VOLUME, VOLUMETRIC].

Default value

PERIODIC

db.checkpoint.interval.time

Table 2. db.checkpoint.interval.time

Description

Configures the time interval between checkpoints. The database does not checkpoint more often than the specified interval (unless checkpointing is triggered by a different event) but might checkpoint less often if performing a checkpoint takes longer time than the configured interval. A checkpoint is a point in the transaction logs from which recovery starts. Longer checkpoint intervals typically mean that recovery takes longer to complete in case of a crash. On the other hand, a longer checkpoint interval can also reduce the I/O load that the database places on the system, as each checkpoint implies a flushing and forcing of all the store files.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

15m

db.checkpoint.interval.tx

Table 3. db.checkpoint.interval.tx

Description

Configures the transaction interval between checkpoints. The database does not checkpoint more often than the specified interval (unless checkpointing is triggered by a different event) but might checkpoint less often if performing a checkpoint takes longer time than the configured interval. A checkpoint is a point in the transaction logs from which recovery starts. Longer checkpoint intervals typically mean that recovery takes longer to complete in case of a crash. On the other hand, a longer checkpoint interval can also reduce the I/O load that the database places on the system, as each checkpoint implies a flushing and forcing of all the store files. The default is 100000 for a checkpoint every 100000 transactions.

Valid values

An integer that is minimum 1.

Default value

100000

db.checkpoint.interval.volume

Table 4. db.checkpoint.interval.volume

Description

Configures the volume of transaction logs between checkpoints. The database does not checkpoint more often than the specified interval (unless checkpointing is triggered by a different event) but might checkpoint less often if performing a checkpoint takes longer time than the configured interval. A checkpoint is a point in the transaction logs, which recovery would start from. Longer checkpoint intervals typically mean that recovery takes longer to complete in case of a crash. On the other hand, a longer checkpoint interval can also reduce the I/O load that the database places on the system, as each checkpoint implies a flushing and forcing of all the store files.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) that is minimum 1.00KiB.

Default value

250.00MiB

db.checkpoint.iops.limit

Enterprise Edition Dynamic

Table 5. db.checkpoint.iops.limit

Description

Limit the number of IOs the background checkpoint process consumes per second. This setting is advisory. It is ignored in Neo4j Community Edition and is followed to best effort in Enterprise Edition. An IO is, in this case, an 8 KiB (mostly sequential) write. Limiting the write IO in this way leaves more bandwidth in the IO subsystem to service random-read IOs, which is important for the response time of queries when the database cannot fit entirely in memory. The only drawback of this setting is that longer checkpoint times may lead to slightly longer recovery times in case of a database or system crash. A lower number means lower IO pressure and, consequently, longer checkpoint times. Set this to -1 to disable the IOPS limit and remove the limitation entirely. This lets the checkpointer flush data as fast as the hardware goes. Removing or commenting out the setting sets the default value of 600.

Valid values

An integer.

Default value

600

Cluster settings

The cluster settings are used to configure the behavior of a Neo4j cluster. For more information, see also Clustering settings.

db.cluster.catchup.pull_interval

Table 6. db.cluster.catchup.pull_interval

Description

The interval at which a secondary server fetches updates for a specific database from the primary server for that database.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

1s

db.cluster.raft.apply.buffer.max_bytes

Table 7. db.cluster.raft.apply.buffer.max_bytes

Description

The maximum number of bytes in the apply buffer. This parameter limits the amount of memory that can be consumed by the apply buffer. If the bytes limit is reached, buffer size will be limited even if max_entries is not exceeded.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB).

Default value

1.00GiB

db.cluster.raft.apply.buffer.max_entries

Table 8. db.cluster.raft.apply.buffer.max_entries

Description

The maximum number of entries in the raft log entry prefetch buffer.

Valid values

An integer.

Default value

1024

db.cluster.raft.in_queue.batch.max_bytes

Table 9. db.cluster.raft.in_queue.batch.max_bytes

Description

Largest batch processed by RAFT in bytes.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB).

Default value

8.00MiB

db.cluster.raft.so_keepalive_enabled

Table 10. db.cluster.raft.so_keepalive_enabled

Description

Set the keepalive socket option (SO_KEEPALIVE) for all Raft TCP channels.

Valid values

A boolean.

Default value

false

db.cluster.raft.in_queue.max_bytes

Table 11. db.cluster.raft.in_queue.max_bytes

Description

Maximum number of bytes in the RAFT in-queue.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB).

Default value

2.00GiB

db.cluster.raft.leader_transfer.priority_group

Table 12. db.cluster.raft.leader_transfer.priority_group

Description

The name of a server_group whose members should be prioritized as leaders. This does not guarantee that the leader will always be a member of this group, but the cluster will attempt to transfer the leadership to such a member when possible. If a database is specified using db.cluster.raft.leader_transfer.priority_group.<database>, the specified priority group will apply to that database only. If no database is specified, that group will be the default and apply to all databases with no explicitly set priority group. Using this setting will disable leadership balancing.

Valid values

A string identifying a server tag.

Default value

db.cluster.raft.leader_transfer.priority_tag

Table 13. db.cluster.raft.leader_transfer.priority_tag

Description

The name of a server tag whose members should be prioritized as leaders. This does not guarantee that the leader will always be a member of this tag, but the cluster will attempt to transfer the leadership to such a member when possible. If a database is specified using db.cluster.raft.leader_transfer.priority_tag.<database>, the specified priority tag will apply only to that database. If no database is specified, that tag will be the default and apply to all databases with no explicitly set priority tag. Using this setting will disable leadership balancing.

Valid values

A string identifying a server tag.

Default value

db.cluster.raft.log.prune_strategy

Table 14. db.cluster.raft.log.prune_strategy

Description

RAFT log pruning strategy that determines which logs are to be pruned. Neo4j only prunes log entries up to the last applied index, which guarantees that logs are only marked for pruning once the transactions within are safely copied over to the local transaction logs and safely committed by a majority of cluster members. Possible values are a byte size or a number of transactions (e.g., 200K txs).

Valid values

A string.

Default value

1g size

db.cluster.raft.log_shipping.buffer.max_bytes

Table 15. db.cluster.raft.log_shipping.buffer.max_bytes

Description

The maximum number of bytes in the in-flight cache. This parameter limits the amount of memory that can be consumed by the cache. If the bytes limit is reached, cache size will be limited even if max_entries is not exceeded.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB).

Default value

1.00GiB

db.cluster.raft.log_shipping.buffer.max_entries

Table 16. db.cluster.raft.log_shipping.buffer.max_entries

Description

The maximum number of entries in the in-flight cache. Increasing size requires more memory but might improve performance in high-load situations.

Valid values

An integer.

Default value

1024

dbms.cluster.catchup.client_inactivity_timeout

Table 17. dbms.cluster.catchup.client_inactivity_timeout

Description

The catch-up protocol times out if the given duration elapses with no network activity. Every message received by the client from the server extends the timeout duration.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

10m

dbms.cluster.network.client_inactivity_timeout

Table 18. dbms.cluster.network.client_inactivity_timeout

Description

A network request times out if the given duration elapses with no network activity. Every message received by the client from the server extends the timeout duration.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

10m

dbms.cluster.discovery.endpoints

Table 19. dbms.cluster.discovery.endpoints

Description

A comma-separated list of endpoints that a server should contact in order to discover other cluster members. The setting configures the endpoints for Discovery service V1.

Valid values

A comma-separated list where each element is a socket address in the format of hostname:port, hostname, or :port.

Default value

dbms.cluster.discovery.v2.endpoints

Table 20. dbms.cluster.discovery.v2.endpoints

Description

A comma-separated list of endpoints that a server should contact in order to discover other cluster members. The setting configures the endpoints for Discovery service V2.

Valid values

A comma-separated list where each element is a socket address in the format of hostname:port, hostname, or :port.

Default value

dbms.cluster.discovery.endpoints and dbms.cluster.discovery.v2.endpoints must contain all cluster members hosting a system database in primary mode. However, it is typical that all cluster members, including the current server, are specified in those lists.

dbms.cluster.discovery.version

Table 21. dbms.cluster.discovery.version

Description

This setting allows you to select which discovery service should be started. Possible values are:

  • V1_ONLY — it runs only discovery service v1.

  • V1_OVER_V2 — it runs both Discovery Service V1 and Discovery Service V2, where V1 is the main service and V2 runs in the background.

  • V2_OVER_V1 — it runs both Discovery Service V1 and Discovery Service V2, where V2 is the main service and V1 runs in the background.

  • V2_ONLY — it runs only discovery service v2.

Valid values

One of [V1_ONLY, V1_OVER_V2, V2_OVER_V1, V2_ONLY].

Default value

V1_ONLY

dbms.cluster.discovery.log_level

Table 22. dbms.cluster.discovery.log_level

Description

The level of middleware logging.

Valid values

One of [DEBUG, INFO, WARN, ERROR, NONE].

Default value

WARN

dbms.cluster.discovery.resolver_type

Table 23. dbms.cluster.discovery.resolver_type

Description

Configure the resolver type that the discovery service uses for determining who should be part of the cluster. Valid values are LIST, SRV, DNS, and K8S:

LIST

A static configuration where dbms.cluster.discovery.endpoints must contain a list of the addresses of the cluster members.

SRV and DNS

A dynamic configuration where dbms.cluster.discovery.endpoints must point to a DNS entry containing the cluster members' addresses.

K8S

At least dbms.kubernetes.service_port_name must be set. The addresses of the cluster members are queried dynamically from Kubernetes.

Valid values

A string.

Default value

LIST

dbms.cluster.discovery.type

Table 24. dbms.cluster.discovery.type

Description

This setting has been replaced by dbms.cluster.discovery.resolver_type.

Valid values

One of [DNS, LIST, SRV, K8S].

Default value

LIST

dbms.cluster.minimum_initial_system_primaries_count

Table 25. dbms.cluster.minimum_initial_system_primaries_count

Description

Minimum number of machines initially required to form a clustered DBMS. The cluster is considered formed when at least this many members have discovered each other, bound together, and bootstrapped a highly available system database. As a result, at least this many of the cluster’s initial machines must have server.cluster.system_database_mode set to PRIMARY.
NOTE: If dbms.cluster.discovery.resolver_type is set to LIST and dbms.cluster.discovery.endpoints is empty, then the user is assumed to be deploying a standalone DBMS, and the value of this setting is ignored.

Valid values

An integer that is minimum 1.

Default value

3

dbms.cluster.network.connect_timeout

Table 26. dbms.cluster.network.connect_timeout

Description

The maximum amount of time to wait for a network connection to be established.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

30s

dbms.cluster.network.handshake_timeout

Table 27. dbms.cluster.network.handshake_timeout

Description

Time out for protocol negotiation handshake.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

20s

dbms.cluster.network.max_chunk_size

Table 28. dbms.cluster.network.max_chunk_size

Description

Maximum chunk size allowable across a network by clustering machinery.

Valid values

An integer that is in the range 4096 to 10485760.

Default value

32768

dbms.cluster.network.supported_compression_algos

Table 29. dbms.cluster.network.supported_compression_algos

Description

Network compression algorithms that this instance will allow in negotiation as a comma-separated list.
For incoming connections, the algorithms are listed in descending order of preference. An empty list implies no compression.
For outgoing connections, this merely specifies the allowed set of algorithms and the preference of the remote peer will be used for making the decision.
Allowable values: [Gzip, Snappy, Snappy_validating, LZ4, LZ4_high_compression, LZ_validating, LZ4_high_compression_validating]

Valid values

A comma-separated list where each element is a string.

Default value

dbms.cluster.raft.binding_timeout

Table 30. dbms.cluster.raft.binding_timeout

Description

The time allowed for a database on a Neo4j server to either join a cluster or form a new cluster with at least the quorum of the members available. The members are provided by dbms.cluster.discovery.endpoints for the system database and by the topology graph for standard databases.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

1d

dbms.cluster.raft.client.max_channels

Table 31. dbms.cluster.raft.client.max_channels

Description

The maximum number of TCP channels between two nodes to operate the raft protocol. Each database gets allocated one channel, but a single channel can be used by more than one database.

Valid values

An integer.

Default value

8

dbms.cluster.raft.election_failure_detection_window

Table 32. dbms.cluster.raft.election_failure_detection_window

Description

The rate at which leader elections happen. Note that due to election conflicts, it might take several attempts to find a leader. The window should be significantly larger than typical communication delays to make conflicts unlikely.

Valid values

A duration-range <min-max> (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

3s-6s

dbms.cluster.raft.leader_failure_detection_window

Table 33. dbms.cluster.raft.leader_failure_detection_window

Description

The time window within which the loss of the leader is detected and the first re-election attempt is held. The window should be significantly larger than typical communication delays to make conflicts unlikely.

Valid values

A duration-range <min-max> (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

20s-23s

dbms.cluster.raft.leader_transfer.balancing_strategy

Table 34. dbms.cluster.raft.leader_transfer.balancing_strategy

Description

Which strategy to use when transferring database leaderships around a cluster. Note that if a leadership_priority_group is specified for a given database, the value of this setting will be ignored for that database. The following values are available:

  • equal_balancing automatically ensures that each primary server holds the leader role for an equal number of databases.

  • no_balancing prevents any automatic balancing of the leader role.

Valid values

One of [NO_BALANCING, EQUAL_BALANCING].

Default value

EQUAL_BALANCING

dbms.cluster.raft.log.pruning_frequency

Table 35. dbms.cluster.raft.log.pruning_frequency

Description

RAFT log pruning frequency.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

10m

dbms.cluster.raft.log.reader_pool_size

Table 36. dbms.cluster.raft.log.reader_pool_size

Description

RAFT log reader pool size.

Valid values

An integer.

Default value

8

dbms.cluster.raft.log.rotation_size

Table 37. dbms.cluster.raft.log.rotation_size

Description

RAFT log rotation size. The log will be rotated when it reaches this size.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) that is minimum 1.00KiB.

Default value

250.00MiB

dbms.cluster.raft.membership.join_max_lag

Table 38. dbms.cluster.raft.membership.join_max_lag

Description

Maximum amount of lag accepted for a new follower to join the Raft group.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

10s

dbms.cluster.raft.membership.join_timeout

Table 39. dbms.cluster.raft.membership.join_timeout

Description

Timeout for a new member to catch up.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

10m

dbms.cluster.store_copy.max_retry_time_per_request

Table 40. dbms.cluster.store_copy.max_retry_time_per_request

Description

Maximum retry time per request during store copy. Regular store files and indexes are downloaded in separate requests during store copy. This configures the maximum time failed requests are allowed to resend.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

20m

initial.dbms.automatically_enable_free_servers

Table 41. initial.dbms.automatically_enable_free_servers

Description

Automatically enable free servers.

Valid values

A boolean.

Default value

false

initial.dbms.database_allocator

Table 42. initial.dbms.database_allocator

Description

Name of the initial database allocator. After the creation of the DBMS, it can be set by running the CALL dbms.setDatabaseAllocator() procedure.

Valid values

A string.

Default value

EQUAL_NUMBERS

initial.dbms.default_primaries_count

Table 43. initial.dbms.default_primaries_count

Description

The initial default number of primary servers for the standard databases. If the user does not specify the number of primaries in CREATE DATABASE, this value will be used unless overwritten by the dbms.setDefaultAllocationNumbers procedure.

Valid values

An integer that is minimum 1 and is maximum 11.

Default value

1

initial.dbms.default_secondaries_count

Table 44. initial.dbms.default_secondaries_count

Description

The initial default number of secondary servers for standard databases. If the user does not specify the number of secondaries in CREATE DATABASE, this value will be used unless overwritten by the dbms.setDefaultAllocationNumbers procedure.

Valid values

An integer that is minimum 0 and is maximum 20.

Default value

0

initial.server.allowed_databases

Table 45. initial.server.allowed_databases

Description

Names of the databases allowed on this server; all others are denied. Empty means all are allowed. This configuration can be overridden when enabling the server or altered at runtime without changing this setting. Exclusive with server.initial_denied_databases.

Valid values

A comma-separated set where each element is a valid database name containing only alphabetic characters, numbers, dots, and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name system.

Default value

initial.server.denied_databases

Table 46. initial.server.denied_databases

Description

Names of the databases not allowed on this server. Empty means nothing is denied. This configuration can be overridden when enabling the server or altered at runtime without changing this setting. Exclusive with server.initial_allowed_databases.

Valid values

A comma-separated set where each element is a valid database name containing only alphabetic characters, numbers, dots, and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name system.

Default value

initial.server.mode_constraint

Table 47. initial.server.mode_constraint

Description

An server can restrict itself to allow databases to be hosted only as primaries or secondaries. This setting is the default input for the ENABLE SERVER command - the user can overwrite it when executing the command.

Valid values

One of [PRIMARY, SECONDARY, NONE].

Default value

NONE

initial.server.tags

Table 48. initial.server.tags

Description

A list of tag names for the server used by the database allocation and when configuring load balancing and replication policies. This setting is the default input for the ENABLE SERVER command - the user can overwrite it when executing the command.

Valid values

A comma-separated list where each element is a string identifying a server tag, which contains no duplicate items.

Default value

server.cluster.advertised_address

Table 49. server.cluster.advertised_address

Description

Advertised hostname/IP address and port for the transaction shipping server.

Valid values

A socket address in the format of hostname:port, hostname, or :port that is an accessible address. If missing, it is acquired from server.default_advertised_address.

Default value

:6000

server.cluster.catchup.connect_randomly_to_server_group

Table 50. server.cluster.catchup.connect_randomly_to_server_group

Description

Comma-separated list of groups to be used by the connect-randomly-to-server-group selection strategy. The connect-randomly-to-server-group strategy is used when the list of strategies (server.cluster.catchup.upstream_strategy) includes the value connect-randomly-to-server-group.

Valid values

A comma-separated list where each element is a string identifying a server tag.

Default value

server.cluster.catchup.connect_randomly_to_server_tags

Table 51. server.cluster.catchup.connect_randomly_to_server_tags

Description

Comma-separated list of tags to be used by the connect-randomly-to-server-with-tag selection strategy. The connect-randomly-to-server-with-tag strategy is used when the list of strategies (server.cluster.catchup.upstream_strategy) includes the value connect-randomly-to-server-with-tag.

Valid values

A comma-separated list where each element is a string identifying a server tag.

Default value

server.cluster.catchup.upstream_strategy

Table 52. server.cluster.catchup.upstream_strategy

Description

A descending-ordered list of strategies secondaries use to choose the upstream server from which to pull transactional updates. If none are valid or the list is empty, the default strategy is typically-connect-to-random-secondary.

Valid values

A comma-separated list where each element is a string.

Default value

server.cluster.catchup.user_defined_upstream_strategy

Table 53. server.cluster.catchup.user_defined_upstream_strategy

Description

Configuration of a user-defined upstream selection strategy. The user-defined strategy is used when the list of strategies (server.cluster.catchup.upstream_strategy) includes the value user_defined.

Valid values

A string.

Default value

server.cluster.listen_address

Table 54. server.cluster.listen_address

Description

Network interface and port for the transaction shipping server to listen on. Note that it is also possible to run the backup client against this port, so always limit access to it via the firewall and configure an SSL policy.

Valid values

A socket address in the format of hostname:port, hostname, or :port. If missing, it is acquired from server.default_listen_address.

Default value

:6000

server.cluster.network.native_transport_enabled

Table 55. server.cluster.network.native_transport_enabled

Description

Use native transport if available. Epoll for Linux or Kqueue for MacOS/BSD. If this setting is set to false, or if native transport is not available, Nio transport will be used.

Valid values

A boolean.

Default value

true

server.cluster.raft.advertised_address

Table 56. server.cluster.raft.advertised_address

Description

Advertised hostname/IP address and port for the RAFT server.

Valid values

A socket address in the format of hostname:port, hostname, or :port that is an accessible address. If missing, it is acquired from server.default_advertised_address.

Default value

:7000

server.cluster.raft.listen_address

Table 57. server.cluster.raft.listen_address

Description

Network interface and port for the RAFT server to listen on.

Valid values

A socket address in the format of hostname:port, hostname, or :port. If missing, it is acquired from server.default_listen_address.

Default value

:7000

server.cluster.system_database_mode

Table 58. server.cluster.system_database_mode

Description

Users must manually specify the mode for the system database on each server.

Valid values

One of [PRIMARY, SECONDARY].

Default value

PRIMARY

server.discovery.listen_address

Table 59. server.discovery.listen_address

Description

Host and port to bind the cluster member discovery management communication.

Valid values

A socket address in the format of hostname:port, hostname, or :port. If missing, it is acquired from server.default_listen_address.

Default value

:5000

server.groups

Table 60. server.groups

Description

A list of tag names for the server used when configuring load balancing and replication policies.

Valid values

A comma-separated list where each element is a string identifying a server tag.

Default value

Replaced by

initial.server.tags

Connection settings

Connection settings control the communication between servers and between a server and a client. Neo4j provides support for Bolt, HTTP, and HTTPS protocols via connectors. For more information about the connectors, see Configure connectors.

When configuring the HTTPS or Bolt, see also Security settings and SSL framework for details on how to work with SSL certificates.

server.bolt.advertised_address

Table 61. server.bolt.advertised_address

Description

Advertised address for this connector.

Valid values

A socket address in the format of hostname:port, hostname, or :port that is an accessible address. If missing, it is acquired from server.default_advertised_address.

Default value

:7687

server.bolt.connection_keep_alive

Table 62. server.bolt.connection_keep_alive

Description

The maximum time to wait before sending a NOOP on connections waiting for responses from active ongoing queries.The minimum value is 1 millisecond.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 1ms.

Default value

1m

server.bolt.connection_keep_alive_for_requests

Table 63. server.bolt.connection_keep_alive_for_requests

Description

The type of messages to enable keep-alive messages for ALL, STREAMING, or OFF.

Valid values

One of [ALL, STREAMING, OFF].

Default value

ALL

server.bolt.connection_keep_alive_probes

Table 64. server.bolt.connection_keep_alive_probes

Description

The total number of probes to be missed before a connection is considered stale. The minimum value is 1.

Valid values

An integer that is minimum 1.

Default value

2

server.bolt.connection_keep_alive_streaming_scheduling_interval

Table 65. server.bolt.connection_keep_alive_streaming_scheduling_interval

Description

The interval between every scheduled keep-alive check on all connections with active queries. Zero duration turns off keep-alive service.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 0s.

Default value

1m

server.bolt.enabled

Table 66. server.bolt.enabled

Description

Enable the Bolt connector.

Valid values

A boolean.

Default value

true

server.bolt.listen_address

Table 67. server.bolt.listen_address

Description

Address the connector should bind to.

Valid values

A socket address in the format of hostname:port, hostname, or :port. If missing, it is acquired from server.default_listen_address.

Default value

:7687

server.bolt.additional_listen_addresses

Table 68. server.bolt.additional_listen_addresses

Description

Additional addresses the connector should bind to.

Valid values

A comma-separated set where each element is a socket address in the format of hostname:port, hostname, or :port.

Default value

server.bolt.ocsp_stapling_enabled

Table 69. server.bolt.ocsp_stapling_enabled

Description

Enable server OCSP stapling for bolt and http connectors.

Valid values

A boolean.

Default value

false

server.bolt.telemetry.enabled

Table 70. server.bolt.telemetry.enabled

Description

Enable the collection of driver telemetry.

Valid values

A boolean.

Default value

false

server.bolt.enable_network_error_accounting

Table 71. server.bolt.enable_network_error_accounting

Description

Enables accounting-based reporting of benign errors within the Bolt stack. When enabled, benign errors are reported only when such events occur with unusual frequency. When disabled, all benign network errors are reported.

Valid values

A boolean.

Default value

true

server.bolt.network_abort_clear_window_duration

Table 72. server.bolt.network_abort_clear_window_duration

Description

The duration for which network-related connection aborts need to remain at a reasonable level before the error is cleared.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 1s.

Default value

10m

server.bolt.network_abort_warn_threshold

Table 73. server.bolt.network_abort_warn_threshold

Description

The maximum number of network-related connection aborts allowed within a specified time window before emitting log messages. A value of zero reverts to legacy warning behavior.

Valid values

A long that is minimum 0.

Default value

2

server.bolt.network_abort_warn_window_duration

Table 74. server.bolt.network_abort_warn_window_duration

Description

The duration of the window in which network-related connection aborts are sampled.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 1s.

Default value

10m

server.bolt.thread_pool_keep_alive

Table 75. server.bolt.thread_pool_keep_alive

Description

The maximum time an idle thread in the thread pool bound to this connector waits for new tasks.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

5m

server.bolt.thread_pool_max_size

Table 76. server.bolt.thread_pool_max_size

Description

The maximum number of threads allowed in the thread pool bound to this connector.

Valid values

An integer.

Default value

400

server.bolt.thread_pool_min_size

Table 77. server.bolt.thread_pool_min_size

Description

The number of threads, including idle, to keep in the thread pool bound to this connector.

Valid values

An integer.

Default value

5

server.bolt.thread_starvation_clear_window_duration

Table 78. server.bolt.thread_starvation_clear_window_duration

Description

The duration for which unscheduled requests need to remain at a reasonable level before the error is cleared.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 1s.

Default value

10m

server.bolt.thread_starvation_warn_threshold

Table 79. server.bolt.thread_starvation_warn_threshold

Description

The maximum number of unscheduled requests allowed during thread starvation events within a specified time window before emitting log messages.

Valid values

A long that is minimum 0.

Default value

2

server.bolt.thread_starvation_warn_window_duration

Table 80. server.bolt.thread_starvation_warn_window_duration

Description

The duration of the window in which unscheduled requests are sampled.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 1s.

Default value

10m

server.bolt.tls_level

Table 81. server.bolt.tls_level

Description

The encryption level to be used to secure communications with this connector.

Valid values

One of [REQUIRED, OPTIONAL, DISABLED].

Default value

DISABLED

server.bolt.traffic_accounting_check_period

Table 82. server.bolt.traffic_accounting_check_period

Description

Amount of time spent between samples of current traffic usage. Lower values result in more accurate reporting while incurring a higher performance penalty. A value of zero disables traffic accounting.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is 0s or is minimum 1m.

Default value

5m

server.bolt.traffic_accounting_clear_duration

Table 83. server.bolt.traffic_accounting_clear_duration

Description

Time to be spent below the configured traffic threshold to clear traffic warnings.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 1m.

Default value

10m

server.bolt.traffic_accounting_incoming_threshold_mbps

Table 84. server.bolt.traffic_accounting_incoming_threshold_mbps

Description

Maximum permitted incoming traffic within a configured accounting check window before emitting a warning (in Mbps).

Valid values

A long that is minimum 1.

Default value

950

server.bolt.traffic_accounting_outgoing_threshold_mbps

Table 85. server.bolt.traffic_accounting_outgoing_threshold_mbps

Description

Maximum permitted outgoing traffic within a configured accounting check window before emitting a warning (in Mbps).

Valid values

A long that is minimum 1.

Default value

950

server.http.advertised_address

Table 86. server.http.advertised_address

Description

Advertised address for this connector.

Valid values

A socket address in the format of hostname:port, hostname, or :port that is an accessible address. If missing, it is acquired from server.default_advertised_address.

Default value

:7474

server.http.enabled

Table 87. server.http.enabled

Description

Enable the HTTP connector.

Valid values

A boolean.

Default value

true

server.http.listen_address

Table 88. server.http.listen_address

Description

Address the connector should bind to.

Valid values

A socket address in the format of hostname:port, hostname, or :port. If missing, it is acquired from server.default_listen_address.

Default value

:7474

server.http_enabled_modules

Table 89. server.http_enabled_modules

Description

Defines the set of modules loaded into the Neo4j web server. The enterprise management endpoints are only available in the Еnterprise edition.

Valid values

A comma-separated set where each element is one of [TRANSACTIONAL_ENDPOINTS, UNMANAGED_EXTENSIONS, BROWSER, ENTERPRISE_MANAGEMENT_ENDPOINTS, QUERY_API_ENDPOINTS].

Default value

TRANSACTIONAL_ENDPOINTS,UNMANAGED_EXTENSIONS,BROWSER,ENTERPRISE_MANAGEMENT_ENDPOINTS,QUERY_API_ENDPOINTS

server.http_enabled_transports

Table 90. server.http_enabled_transports

Description

Defines the set of transports available on the HTTP server.

Valid values

A comma-separated set where each element is one of [HTTP1_1, HTTP2].

Default value

HTTP1_1,HTTP2

server.https.advertised_address

Table 91. server.https.advertised_address

Description

Advertised address for this connector.

Valid values

A socket address in the format of hostname:port, hostname, or :port that is an accessible address. If missing, it is acquired from server.default_advertised_address.

Default value

:7473

server.https.enabled

Table 92. server.https.enabled

Description

Enable the HTTPS connector.

Valid values

A boolean.

Default value

false

server.https.listen_address

Table 93. server.https.listen_address

Description

Address the connector should bind to.

Valid values

A socket address in the format of hostname:port, hostname, or :port. If missing, it is acquired from server.default_listen_address.

Default value

:7473

server.default_advertised_address

Table 94. server.default_advertised_address

Description

Default hostname or IP address the server uses to advertise itself.

Valid values

A socket address in the format of hostname:port, hostname, or :port that has no specified port and is an accessible address.

Default value

localhost

server.default_listen_address

Table 95. server.default_listen_address

Description

Default network interface to listen for incoming connections. To listen for connections on all interfaces, use "0.0.0.0".

Valid values

A socket address in the format of hostname:port, hostname, or :port that has no specified port.

Default value

localhost

server.discovery.advertised_address

Table 96. server.discovery.advertised_address

Description

Advertised cluster member discovery management communication.

Valid values

A socket address in the format of hostname:port, hostname, or :port that is an accessible address. If missing, it is acquired from server.default_advertised_address.

Default value

:5000

server.routing.advertised_address

Table 97. server.routing.advertised_address

Description

The advertised address for the intra-cluster routing connector.

Valid values

A socket address in the format of hostname:port, hostname, or :port that is an accessible address. If missing, it is acquired from server.default_advertised_address.

Default value

:7688

server.routing.listen_address

Table 98. server.routing.listen_address

Description

Address routing connector should bind to.

Valid values

A socket address in the format of hostname:port, hostname, or :port. If missing, it is acquired from server.default_listen_address.

Default value

:7688

dbms.routing.client_side.enforce_for_domains

Table 99. dbms.routing.client_side.enforce_for_domains

Description

Always use client-side routing (regardless of the default router) for neo4j:// protocol connections to these domains. A comma-separated list of domains. Wildcards (*) are supported.

Valid values

A comma-separated set where each element is a string.

Default value

dbms.routing.default_router

Table 100. dbms.routing.default_router

Description

Routing strategy for neo4j:// protocol connections. Default is CLIENT, using client-side routing, with server-side routing as a fallback (if enabled). When set to SERVER, client-side routing is short-circuited, and requests rely on server-side routing (which must be enabled for proper operation, i.e. dbms.routing.enabled=true). Can be overridden by dbms.routing.client_side.enforce_for_domains.

Valid values

One of [SERVER, CLIENT].

Default value

CLIENT

dbms.routing.driver.connection.connect_timeout

Table 101. dbms.routing.driver.connection.connect_timeout

Description

Socket connection timeout. A timeout of zero is treated as an infinite timeout and will be bound by the timeout configured on the operating system level.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

5s

dbms.routing.driver.connection.max_lifetime

Table 102. dbms.routing.driver.connection.max_lifetime

Description

Pooled connections older than this threshold will be closed and removed from the pool. Setting this option to a low value will cause a high connection churn and might result in a performance hit. It is recommended to set maximum lifetime to a slightly smaller value than the one configured in network equipment (load balancer, proxy, firewall, etc. can also limit maximum connection lifetime). Zero and negative values result in lifetime not being checked.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

1h

dbms.routing.driver.connection.pool.acquisition_timeout

Table 103. dbms.routing.driver.connection.pool.acquisition_timeout

Description

Maximum amount of time spent attempting to acquire a connection from the connection pool. This timeout only kicks in when all existing connections are being used, and no new connections can be created because the maximum connection pool size has been reached. An error is raised when no connection can be acquired within the configured time. Negative values are allowed, which results in an unlimited acquisition timeout. A value of 0 is allowed, resulting in no timeout and immediate failure when the connection is unavailable.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

1m

dbms.routing.driver.connection.pool.idle_test

Table 104. dbms.routing.driver.connection.pool.idle_test

Description

Pooled connections that have been idle in the pool for longer than this timeout will be tested to ensure they are still alive before being used again. If the value of this option is too low, acquiring a connection will require an additional network call, which will cause a performance hit. If the value of this option is too high, live connections might no longer be used, leading to errors. Hence, this parameter balances the likelihood of experiencing connection problems and performance. Usually, this parameter should not need tuning. Value 0 means connections will always be tested for validity. No connection liveliness check is done by default.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

dbms.routing.driver.connection.pool.max_size

Table 105. dbms.routing.driver.connection.pool.max_size

Description

Maximum total number of connections to be managed by a connection pool. The limit is enforced for a combination of a host and user. Negative values are allowed and result in unlimited pool. Value of 0 is not allowed. Defaults to -1 (unlimited).

Valid values

An integer.

Default value

-1

dbms.routing.driver.logging.level

Table 106. dbms.routing.driver.logging.level

Description

Sets the level for the driver’s internal logging.

Valid values

One of [DEBUG, INFO, WARN, ERROR, NONE].

Default value

INFO

dbms.routing.enabled

Table 107. dbms.routing.enabled

Description

Enable server-side routing in clusters using an additional bolt connector. When configured, this allows requests to be forwarded from one cluster member to another, if the requests cannot be satisfied by the first member (e.g. write requests received by a non-leader).

Valid values

A boolean.

Default value

true

dbms.routing.load_balancing.plugin

Table 108. dbms.routing.load_balancing.plugin

Description

The load balancing plugin to use.

Valid values

A string that specified load balancer plugin exist..

Default value

server_policies

dbms.routing.load_balancing.shuffle_enabled

Table 109. dbms.routing.load_balancing.shuffle_enabled

Description

Vary the order of the entries in routing tables each time one is produced. This means that different clients should select a range of servers as their first contact, reducing the chance of all clients contacting the same server if alternatives are available. This makes the load across the servers more even.

Valid values

A boolean.

Default value

true

dbms.routing.reads_on_primaries_enabled

Table 110. dbms.routing.reads_on_primaries_enabled

Description

Configure if the dbms.routing.getRoutingTable() procedure should include non-writer primaries as read endpoints or return only secondaries.
NOTE: If there are no secondaries for the given database, primaries are returned as read endpoints, regardless the value of this setting. Defaults to true so that non-writer primaries are available for read-only queries in a typical heterogeneous setup.

Valid values

A boolean.

Default value

true

dbms.routing.reads_on_writers_enabled

Table 111. dbms.routing.reads_on_writers_enabled

Description

Configure if the dbms.routing.getRoutingTable() procedure should include the writer as read endpoint or return only non-writers (non-writer primaries and secondaries).
NOTE: Writer is returned as read endpoint if no other member is present.

Valid values

A boolean.

Default value

false

dbms.routing_ttl

Table 112. dbms.routing_ttl

Description

How long callers should cache the response of the routing procedure dbms.routing.getRoutingTable().

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 1s.

Default value

5m

Cypher settings

The Cypher settings affect the behavior of Cypher queries. They can be used to tune the performance of Cypher queries or to restrict the kinds of queries that can be executed. For more information, see Statistics and execution plans.

dbms.cypher.forbid_exhaustive_shortestpath

Table 113. dbms.cypher.forbid_exhaustive_shortestpath

Description

This setting is associated with performance optimization. Set this to true in situations where it is preferable to have any queries using the 'shortestPath' function terminate as soon as possible with no answer, rather than potentially running for a long time attempting to find an answer (even if there is no path to be found). For most queries, the 'shortestPath' algorithm will return the correct answer very quickly. However there are some cases where it is possible that the fast bidirectional breadth-first search algorithm will find no results even if they exist. This can happen when the predicates in the WHERE clause applied to 'shortestPath' cannot be applied to each step of the traversal, and can only be applied to the entire path. When the query planner detects these special cases, it will plan to perform an exhaustive depth-first search if the fast algorithm finds no paths. However, the exhaustive search may be orders of magnitude slower than the fast algorithm. If it is critical that queries terminate as soon as possible, it is recommended that this option be set to true, which means that Neo4j will never consider using the exhaustive search for shortestPath queries. However, please note that if no paths are found, an error will be thrown at run time, which will need to be handled by the application.

Valid values

A boolean.

Default value

false

dbms.cypher.forbid_shortestpath_common_nodes

Table 114. dbms.cypher.forbid_shortestpath_common_nodes

Description

This setting is associated with performance optimization. The shortest path algorithm does not work when the start and end nodes are the same. With this setting set to false no path will be returned when that happens. The default value of true will instead throw an exception. This can happen if you perform a shortestPath search after a cartesian product that might have the same start and end nodes for some of the rows passed to shortestPath. If it is preferable to not experience this exception, and acceptable for results to be missing for those rows, then set this to false. If you cannot accept missing results, and really want the shortestPath between two common nodes, then re-write the query using a standard Cypher variable length pattern expression followed by ordering by path length and limiting to one result.

Valid values

A boolean.

Default value

true

dbms.cypher.hints_error

Table 115. dbms.cypher.hints_error

Description

Set this to specify the behavior when Cypher planner or runtime hints cannot be fulfilled. If true, then non-conformance will result in an error, otherwise only a warning is generated.

Valid values

A boolean.

Default value

false

dbms.cypher.infer_schema_parts

Table 116. dbms.cypher.infer_schema_parts

Description

Allow label inference during cardinality estimation. If the planner can logically deduce that a node has a label not explicitly expressed in the query, the planner will use this information during cardinality estimation.
This setting controls to what extent the planner should do that:

  • OFF: No predicates are inferred.

  • MOST_SELECTIVE_LABEL: Relationship types are used to infer labels on the relationships' end nodes. The planner only infers at most one label per node. If more than one label can be inferred for a given node, the planner keeps the most selective one, the one corresponding to the smallest number of nodes in the graph.

Valid values

One of [MOST_SELECTIVE_LABEL, OFF].

Default value

OFF

For some queries, the planner can infer predicates such as labels or types from the graph structure that can improve estimating the number of rows that each operator produces. for more information, see Cypher Manual → Execution plans and query tuning → Understanding execution plans.
For details on how to configure this setting on a per-query basis,effectively overriding this setting on that particular query, see Cypher Manual → Query tuning → Cypher infer schema parts.

dbms.cypher.lenient_create_relationship

Table 117. dbms.cypher.lenient_create_relationship

Description

Set this to change the behavior for Cypher create relationship when the start or end node is missing. By default this fails the query and stops execution, but by setting this flag the create operation is simply not performed and execution continues.

Valid values

A boolean.

Default value

false

dbms.cypher.min_replan_interval

Table 118. dbms.cypher.min_replan_interval

Description

The minimum time between possible Cypher query replanning events. After this time, the graph statistics will be evaluated, and if they have changed by more than the value set by dbms.cypher.statistics_divergence_threshold, the query will be replanned. If the statistics have not changed sufficiently, the same interval will need to pass before the statistics will be evaluated again. Each time they are evaluated, the divergence threshold will be reduced slightly until it reaches 10% after 7h, so that even moderately changing databases will see query replanning after a sufficiently long time interval.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

10s

dbms.cypher.planner

Table 119. dbms.cypher.planner

Description

Set this to specify the default planner for the default language version.

Valid values

One of [DEFAULT, COST].

Default value

DEFAULT

dbms.cypher.render_plan_description

Table 120. dbms.cypher.render_plan_description

Description

If set to true a textual representation of the plan description will be rendered on the server for all queries running with EXPLAIN or PROFILE. This allows clients such as the neo4j browser and Cypher shell to show a more detailed plan description.

Valid values

A boolean.

Default value

true

dbms.cypher.statistics_divergence_threshold

Table 121. dbms.cypher.statistics_divergence_threshold

Description

The threshold for statistics above which a plan is considered stale.

If any of the underlying statistics used to create the plan have changed more than this value, the plan will be considered stale and will be replanned. Change is calculated as abs(a-b)/max(a,b).

This means that a value of 0.75 requires the database to quadruple in size before query replanning. A value of 0 means that the query will be replanned as soon as there is any change in statistics and the replan interval has elapsed.

This interval is defined by dbms.cypher.min_replan_interval and defaults to 10s. After this interval, the divergence threshold will slowly start to decline, reaching 10% after about 7h. This will ensure that long running databases will still get query replanning on even modest changes, while not replanning frequently unless the changes are very large.

Valid values

A double that is in the range 0.0 to 1.0.

Default value

0.75

server.cypher.parallel.worker_limit

Table 122. server.cypher.parallel.worker_limit

Description

Number of threads to allocate to Cypher worker threads for the parallel runtime. If set to a positive number, that number of workers will be started. If set to 0, one worker will be started for every logical processor available to the Java Virtual Machine.

If set to a negative number, the total number of logical processors available on the server will be reduced by the absolute value of that number. For example, if the server has 16 available processors and you set server.cypher.parallel.worker_limit to -1, the parallel runtime will have 15 threads available.

Valid values

An integer.

Default value

0

Database settings

Database settings affect the behavior of a Neo4j database, for example, the file watcher service, the database format, the database store files, and the database timezone. They can be varied between each database but must be consistent across all configuration files in a cluster/DBMS.

db.filewatcher.enabled

Table 123. db.filewatcher.enabled

Description

Allows the enabling or disabling of the file watcher service. This is an auxiliary service but should be left enabled in almost all cases.

Valid values

A boolean.

Default value

true

db.format

Table 124. db.format

Description

Database format. This is the format that will be used for new databases. Valid values are standard, aligned, high_limit or block. The aligned format is essentially the standard format with some minimal padding at the end of pages such that a single record will never cross a page boundary. The high_limit and block formats are available for Enterprise Edition only. Either high_limit or block is required if you have a graph that is larger than 34 billion nodes, 34 billion relationships, or 68 billion properties.

Valid values

A string.

Default value

block

db.relationship_grouping_threshold

Table 125. db.relationship_grouping_threshold

Description

Relationship count threshold for considering a node to be dense.

Valid values

An integer that is minimum 1.

Default value

50

db.store.files.preallocate

Table 126. db.store.files.preallocate

Description

Specify if Neo4j should try to preallocate store files as they grow.

Valid values

A boolean.

Default value

true

db.temporal.timezone

Table 127. db.temporal.timezone

Description

Database timezone for temporal functions. All Time and DateTime values that are created without an explicit timezone will use this configured default timezone.

Valid values

A string describing a timezone, either described by offset (e.g. +02:00) or by name (e.g. Europe/Stockholm).

Default value

Z

db.track_query_cpu_time

Table 128. db.track_query_cpu_time

Description

Enables or disables tracking of how much time a query spends actively executing on the CPU. Calling SHOW TRANSACTIONS will display the time, but not in the query.log.
If you want the CPU time to be logged in the query.log, set db.track_query_cpu_time=true.

Valid values

A boolean.

Default value

false

DBMS settings

The DBMS settings affect the Neo4j DBMS as a whole. You can use them to set the default database, the DBMS timezone, a list of seed providers, and the maximum number of databases. The DBMS settings must be consistent across all configuration files in a cluster/DBMS.

initial.dbms.default_database

Table 129. initial.dbms.default_database

Description

Name of the default database (aliases are not supported).
NOTE: This setting is not the same as dbms.default_database, which was used to set the default database in Neo4j 4.x and earlier versions.

The initial.dbms.default_database setting is meant to set the default database before the creation of the DBMS. Once it is created, the setting is not valid anymore.

To set the default database, use the dbms.setDefaultDatabase() procedure instead.

Valid values

A valid database name containing only alphabetic characters, numbers, dots, and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name system.

Default value

neo4j

dbms.db.timezone

Table 130. dbms.db.timezone

Description

Database timezone. Among other things, this setting influences the monitoring procedures.

Valid values

One of [UTC, SYSTEM].

Default value

UTC

dbms.databases.seed_from_uri_providers

Table 131. dbms.databases.seed_from_uri_providers

Description

Databases can be created from an existing seed (a database backup or dump) stored at a specific source URI. Different implementations of com.neo4j.dbms.seeding.SeedProvider support various types of seed sources.

The following values are available: S3SeedProvider, CloudSeedProvider, URLConnectionSeedProvider, and FileSeedProvider.

  • S3SeedProvider supports seeds addressed with s3.

  • CloudSeedProvider supports seeds addressed with s3, azb, gs.

  • URLConnectionSeedProvider supports seeds addressed with ftp,http, and https.

  • FileSeedProvider supports seeds addressed with file.

This list specifies enabled seed providers. If a seed source (URI scheme) is supported by multiple providers in the list, the first matching provider will be used. If the list is set to empty, the seed from URI functionality is effectively disabled. See Seed from URI for more information.

Valid values

A comma-separated list where each element is a string.

Default value

S3SeedProvider,CloudSeedProvider

dbms.max_databases

Table 132. dbms.max_databases

Description

The maximum number of databases.

Valid values

A long that is minimum 2.

Default value

100

dbms.usage_report.enabled

Table 133. dbms.usage_report.enabled

Description

Usage data reporting.

Valid values

A boolean.

Default value

true

Import settings

The import settings control the size of the internal buffer used by LOAD CSV and the escaping of quotes in CSV files.

db.import.csv.buffer_size

Table 134. db.import.csv.buffer_size

Description

The size of the internal buffer in bytes used by LOAD CSV. If the csv file contains huge fields this value may have to be increased.

Valid values

A long that is minimum 1.

Default value

2097152

db.import.csv.legacy_quote_escaping

Table 135. db.import.csv.legacy_quote_escaping

Description

Selects whether to conform to the standard https://tools.ietf.org/html/rfc4180 for interpreting escaped quotation characters in CSV files loaded using LOAD CSV. Setting this to false will use the standard, interpreting repeated quotes '""' as a single in-lined quote, while true will use the legacy convention originally supported in Neo4j 3.0 and 3.1, allowing a backslash to include quotes in-lined in fields.

Valid values

A boolean.

Default value

true

Index settings

The index settings control the full-text index and the background index sampling (chunk size limit and sample size). For more information, see Index configuration.

db.index.fulltext.default_analyzer

Table 136. db.index.fulltext.default_analyzer

Description

The name of the analyzer that the full-text indexes should use by default.

Valid values

A string.

Default value

standard-no-stop-words

db.index.fulltext.eventually_consistent

Table 137. db.index.fulltext.eventually_consistent

Description

Whether or not full-text indexes should be eventually consistent by default or not.

Valid values

A boolean.

Default value

false

db.index.fulltext.eventually_consistent_apply_parallelism

Table 138. db.index.fulltext.eventually_consistent_apply_parallelism

Description

The number of threads processing queued index updates for eventually consistent full-text indexes.

Valid values

An integer that is minimum 1.

Default value

1

db.index.fulltext.eventually_consistent_refresh_interval

Table 139. db.index.fulltext.eventually_consistent_refresh_interval

Description

How often an eventually consistent full-text index is refreshed (changes are guaranteed to be visible). If set to 0, refresh is done by the threads applying eventually consistent full-text index updates.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

0s

db.index.fulltext.eventually_consistent_refresh_parallelism

Table 140. db.index.fulltext.eventually_consistent_refresh_parallelism

Description

The number of threads that can do full-text index refresh in parallel, i.e. the number of eventually consistent full-text indexes that can be refreshed in parallel.

Valid values

An integer that is minimum 1.

Default value

1

db.index.fulltext.eventually_consistent_index_update_queue_max_length

Table 141. db.index.fulltext.eventually_consistent_index_update_queue_max_length

Description

The eventually consistent mode of the full-text indexes works by queueing up index updates to be applied later in a background thread. This newBuilder sets an upper bound on how many index updates are allowed to be in this queue at any one point in time. When it is reached, the commit process will slow down and wait for the index update applier thread to make some more room in the queue.

Valid values

An integer that is in the range 1 to 50000000.

Default value

10000

db.index_sampling.background_enabled

Table 142. db.index_sampling.background_enabled

Description

Enable or disable background index sampling.

Valid values

A boolean.

Default value

true

db.index_sampling.sample_size_limit

Table 143. db.index_sampling.sample_size_limit

Description

Index sampling chunk size limit.

Valid values

An integer that is in the range 1048576 to 2147483647.

Default value

8388608

db.index_sampling.update_percentage

Table 144. db.index_sampling.update_percentage

Description

Percentage of index updates of total index size required before sampling of a given index is triggered.

Valid values

An integer that is minimum 0.

Default value

5

Logging settings

Neo4j has two different configuration files for logging, one for the neo4j.log, which contains general information about Neo4j, and one configuration file for all other types of logging via Log4j 2 (except gc.log which is handled by the Java Virtual Machine(JVM). For more information, see Logging.

db.logs.query.annotation_data_as_json_enabled

Table 145. db.logs.query.annotation_data_as_json_enabled

Description

Log the annotation data as JSON strings instead of a Cypher map. This configuration has an effect only when the query log is in JSON format. From 5.9, if true, it collapses the nested JSON objects in the query logger.

Valid values

A boolean.

Default value

false

Replaced by

db.logs.query.annotation_data_format

Table 146. db.logs.query.annotation_data_format

Description

The format to use for the JSON annotation data.

CYPHER

Formatted as a Cypher map. E.g. {foo: 'bar', baz: {k: 1}}.

JSON

Formatted as a JSON map. E.g. {"foo": "bar", "baz": {"k": 1}}.

FLAT_JSON

Formatted as a flattened JSON map. E.g. {"foo": "bar", "baz.k": 1}.

This only have effect when the query log is in JSON format.

Valid values

One of [CYPHER, JSON, FLAT_JSON].

Default value

CYPHER

db.logs.query.early_raw_logging_enabled

Table 147. db.logs.query.early_raw_logging_enabled

Description

Log query text and parameters without obfuscating passwords. This allows queries to be logged earlier before parsing starts.

Valid values

A boolean.

Default value

false

db.logs.query.enabled

Table 148. db.logs.query.enabled

Description

Log executed queries. Valid values are OFF, INFO, or VERBOSE.

OFF

no logging.

INFO

log queries at the end of execution, that take longer than the configured threshold, db.logs.query.threshold.

VERBOSE

log queries at the start and end of execution, regardless of db.logs.query.threshold.

Log entries are written to the query log.

This feature is available in the Neo4j Enterprise Edition.

Valid values

One of [OFF, INFO, VERBOSE].

Default value

VERBOSE

db.logs.query.max_parameter_length

Table 149. db.logs.query.max_parameter_length

Description

Sets a maximum character length use for each parameter in the log. This only takes effect if db.logs.query.parameter_logging_enabled = true.

Valid values

An integer.

Default value

2147483647

db.logs.query.obfuscate_literals

Table 150. db.logs.query.obfuscate_literals

Description

Obfuscates all literals of the query before writing to the log. Note that node labels, relationship types and map property keys are still shown. Changing the setting will not affect queries that are cached. So, if you want the switch to have an immediate effect, you must also call CALL db.clearQueryCaches().

Valid values

A boolean.

Default value

false

db.logs.query.parameter_logging_enabled

Table 151. db.logs.query.parameter_logging_enabled

Description

Log parameters for the executed queries being logged.

Valid values

A boolean.

Default value

true

db.logs.query.plan_description_enabled

Table 152. db.logs.query.plan_description_enabled

Description

Log query plan description table, useful for debugging purposes.

Valid values

A boolean.

Default value

false

db.logs.query.threshold

Table 153. db.logs.query.threshold

Description

If the execution of a query takes more time than this threshold, the query is logged once completed - provided query logging is set to INFO. Defaults to 0 seconds, that is all queries are logged.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

0s

db.logs.query.transaction.enabled

Table 154. db.logs.query.transaction.enabled

Description

Log the start and end of a transaction. Valid values are 'OFF', 'INFO', or 'VERBOSE'. OFF: no logging. INFO: log the start and end of transactions that take longer than the configured threshold, db.logs.query.transaction.threshold. VERBOSE: log the start and end of all transactions. Log entries are written to the query log.

Valid values

One of [OFF, INFO, VERBOSE].

Default value

OFF

db.logs.query.transaction.threshold

Table 155. db.logs.query.transaction.threshold

Description

If the transaction is open for more time than this threshold, the transaction is logged once completed - provided transaction logging (db.logs.query.transaction.enabled) is set to INFO. Defaults to 0 seconds (all transactions are logged).

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

0s

dbms.logs.http.enabled

Table 156. dbms.logs.http.enabled

Description

Enable HTTP request logging.

Valid values

A boolean.

Default value

false

server.logs.config

Table 157. server.logs.config

Description

Path to the logging configuration for debug, query, http and security logs.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

conf/server-logs.xml

server.logs.debug.enabled

Table 158. server.logs.debug.enabled

Description

Enable the debug log.

Valid values

A boolean.

Default value

true

server.logs.gc.enabled

Table 159. server.logs.gc.enabled

Description

Enable GC Logging.

Valid values

A boolean.

Default value

false

server.logs.gc.options

Table 160. server.logs.gc.options

Description

GC Logging Options.

Valid values

A string.

Default value

-Xlog:gc*,safepoint,age*=trace

server.logs.gc.rotation.keep_number

Table 161. server.logs.gc.rotation.keep_number

Description

Number of GC logs to keep.

Valid values

An integer.

Default value

5

server.logs.gc.rotation.size

Table 162. server.logs.gc.rotation.size

Description

Size of each GC log that is kept.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB).

Default value

20.00MiB

server.logs.user.config

Table 163. server.logs.user.config

Description

Path to the logging configuration of user logs.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

conf/user-logs.xml

Memory settings

Memory settings control how much memory is allocated to Neo4j and how it is used. It is recommended to perform a certain amount of testing and tuning of these settings to figure out the optimal division of the available memory. For more information on how to tune these settings, see Memory configuration, Disks, RAM and other tips, and Tuning of the garbage collector.

db.memory.pagecache.warmup.enable

Table 164. db.memory.pagecache.warmup.enable

Description

Page cache can be configured to perform usage sampling of loaded pages that can be used to construct active load profile. According to that profile pages can be reloaded on the restart, replication, etc. This setting allows disabling that behavior. This feature is available in Neo4j Enterprise Edition.

Valid values

A boolean.

Default value

true

db.memory.pagecache.warmup.preload

Table 165. db.memory.pagecache.warmup.preload

Description

Page cache warmup can be configured to prefetch files, preferably when cache size is bigger than store size. Files to be prefetched can be filtered by 'dbms.memory.pagecache.warmup.preload.allowlist'. Enabling this disables warmup by profile.

Valid values

A boolean.

Default value

false

db.memory.pagecache.warmup.preload.allowlist

Table 166. db.memory.pagecache.warmup.preload.allowlist

Description

Page cache warmup prefetch file allowlist regex. By default matches all files.

Valid values

A string.

Default value

.*

db.memory.pagecache.warmup.profile.interval

Table 167. db.memory.pagecache.warmup.profile.interval

Description

The profiling frequency for the page cache. Accurate profiles allow the page cache to do an active warmup after a restart, reducing the mean time to performance.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

1m

db.memory.transaction.max

Table 168. db.memory.transaction.max

Description

Limit the amount of memory that a single transaction can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm', and gigabytes with 'g'). Zero means 'largest possible value'.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) that is minimum 1.00MiB or is 0B.

Default value

0B

db.memory.transaction.total.max

Table 169. db.memory.transaction.total.max

Description

Limit the amount of memory that all transactions in one database can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'unlimited'.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) that is minimum 10.00MiB or is 0B.

Default value

0B

db.tx_state.memory_allocation

Table 170. db.tx_state.memory_allocation

Description

Defines whether memory for transaction state should be allocated on- or off-heap. Note that for small transactions you can gain up to 25% write speed by setting it to ON_HEAP.

Valid values

One of [ON_HEAP, OFF_HEAP].

Default value

ON_HEAP

server.db.query_cache_size

Table 171. server.db.query_cache_size

Description

The number of cached Cypher query execution plans per database. The max number of query plans that can be kept in cache is the number of databases * server.db.query_cache_size. With 10 databases and server.db.query_cache_size=1000, the caches can keep 10000 plans in total on the instance, assuming that each DB receives queries that fill up its cache.

Valid values

An integer that is minimum 0.

Default value

1000

Replaced by

dbms.memory.tracking.enable

Table 172. dbms.memory.tracking.enable

Description

Enable off heap and on heap memory tracking. Should not be set to false for clusters.

Valid values

A boolean.

Default value

true

dbms.memory.transaction.total.max

Table 173. dbms.memory.transaction.total.max

Description

Limit the amount of memory that all of the running transactions can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'unlimited'. Defaults to 70% of the heap size limit.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) that is minimum 10.00MiB or is 0B.

Default value

server.memory.heap.initial_size

Table 174. server.memory.heap.initial_size

Description

Initial heap size. By default it is calculated based on available system resources.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB).

Default value

server.memory.heap.max_size

Table 175. server.memory.heap.max_size

Description

Maximum heap size. By default it is calculated based on available system resources.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB).

Default value

server.memory.off_heap.block_cache_size

Table 176. server.memory.off_heap.block_cache_size

Description

Defines the size of the off-heap memory blocks cache. The cache will contain this number of blocks for each block size that is power of two. Thus, maximum amount of memory used by blocks cache can be calculated as 2 * server.memory.off_heap.max_cacheable_block_size * server.memory.off_heap.block_cache_size

Valid values

An integer that is minimum 16.

Default value

128

server.memory.off_heap.max_cacheable_block_size

Table 177. server.memory.off_heap.max_cacheable_block_size

Description

Defines the maximum size of an off-heap memory block that can be cached to speed up allocations. The value must be a power of 2.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) that is minimum 4.00KiB and is power of 2.

Default value

512.00KiB

server.memory.off_heap.transaction_max_size

Table 178. server.memory.off_heap.transaction_max_size

Description

The maximum amount of off-heap memory that can be used to store transaction state data; it’s a total amount of memory shared across all active transactions. Zero means 'unlimited'. Used when db.tx_state.memory_allocation is set to 'OFF_HEAP'.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) that is minimum 0B.

Default value

2.00GiB

server.memory.pagecache.directio

Table 179. server.memory.pagecache.directio

Description

Use direct I/O for page cache. This setting is supported only on Linux and only for a subset of record formats that use platform-aligned page size.

Valid values

A boolean.

Default value

false

server.memory.pagecache.flush.buffer.enabled

Table 180. server.memory.pagecache.flush.buffer.enabled

Description

Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted.

Valid values

A boolean.

Default value

false

server.memory.pagecache.flush.buffer.size_in_pages

Table 181. server.memory.pagecache.flush.buffer.size_in_pages

Description

Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted. Use this setting to configure individual file flush the buffer size in pages (8KiB). To be able to utilize this buffer during page cache flushing, buffered flush should be enabled.

Valid values

An integer that is in the range 1 to 512.

Default value

128

server.memory.pagecache.scan.prefetchers

Table 182. server.memory.pagecache.scan.prefetchers

Description

The maximum number of worker threads to use for pre-fetching data when doing sequential scans. Set to '0' to disable pre-fetching for scans.

Valid values

An integer that is in the range 0 to 255.

Default value

4

server.memory.pagecache.size

Table 183. server.memory.pagecache.size

Description

The amount of memory to use for mapping the store files. If Neo4j is running on a dedicated server, then it is generally recommended to leave about 2-4 gigabytes for the operating system, give the JVM enough heap to hold all your transaction state and query context, and then leave the rest for the page cache. If no page cache memory is configured, then a heuristic setting is computed based on available system resources. By default the size of page cache will be 50% of available RAM minus the max heap size. The size of the page cache will also not be larger than 70x the max heap size (due to some overhead of the page cache in the heap.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB).

Default value

server.memory.query_cache.sharing_enabled

Table 184. server.memory.query_cache.sharing_enabled

Description

Enable sharing cache space between different databases. With this option turned on, databases will share cache space, but not cache entries. This means that a database may store and retrieve entries from the shared cache, but it may not retrieve entries produced by another database. The database may, however, evict entries from other databases as necessary, according to the constrained cache size and cache eviction policy. In essence, databases may compete for cache space, but may not observe each other’s entries.

When this option is turned on, the cache space available to all databases is configured with server.memory.query_cache.shared_cache_num_entries. With this option turned off, the cache space available to each individual database is configured with server.memory.query_cache.per_db_cache_num_entries.

Valid values

A boolean.

Default value

false

server.memory.query_cache.shared_cache_num_entries

Table 185. server.memory.query_cache.shared_cache_num_entries

Description

The number of cached queries for all databases. The maximum number of queries that can be kept in a cache is exactly server.memory.query_cache.shared_cache_num_entries. This setting is only deciding cache size when server.memory.query_cache.sharing_enabled is set to true.

Valid values

An integer that is minimum 0.

Default value

1000

server.memory.query_cache.per_db_cache_num_entries

Table 186. server.memory.query_cache.per_db_cache_num_entries

Description

The number of cached queries per database. The maximum number of queries that can be kept in a cache is number of databases * server.memory.query_cache.per_db_cache_num_entries. With 10 databases and server.memory.query_cache.per_db_cache_num_entries=1000, the cache can keep 10000 plans in total. This setting is only deciding cache size when server.memory.query_cache.sharing_enabled is set to false.

Valid values

An integer that is minimum 0.

Default value

1000

Metrics settings

The metrics settings control whether Neo4j will log metrics, what metrics to log, how to log them, and how to expose them. For better understanding of the metrics settings and how to configure them, see Metrics.

server.metrics.csv.enabled

Table 187. server.metrics.csv.enabled

Description

Set to true to enable exporting metrics to CSV files.

Valid values

A boolean.

Default value

true

server.metrics.csv.interval

Table 188. server.metrics.csv.interval

Description

The reporting interval for the CSV files. That is, how often new rows with numbers are appended to the CSV files.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 1ms.

Default value

30s

server.metrics.csv.rotation.compression

Table 189. server.metrics.csv.rotation.compression

Description

Decides what compression to use for the csv history files.

Valid values

One of [NONE, ZIP, GZ].

Default value

NONE

server.metrics.csv.rotation.keep_number

Table 190. server.metrics.csv.rotation.keep_number

Description

Maximum number of history files for the csv files.

Valid values

An integer that is minimum 1.

Default value

7

server.metrics.csv.rotation.size

Table 191. server.metrics.csv.rotation.size

Description

The file size in bytes at which the csv files will auto-rotate. If set to zero then no rotation will occur. Accepts a binary suffix k, m or g.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) that is in the range 0B to 8388608.00TiB.

Default value

10.00MiB

server.metrics.enabled

Table 192. server.metrics.enabled

Description

Enable metrics. Setting this to false will to turn off all metrics.

Valid values

A boolean.

Default value

true

server.metrics.filter

Table 193. server.metrics.filter

Description

Specifies which metrics should be enabled by using a comma separated list of globbing patterns. Only the metrics matching the filter will be enabled. For example *check_point*,neo4j.page_cache.evictions will enable any checkpoint metrics and the pagecache eviction metric.

Valid values

A comma-separated list where each element is A simple globbing pattern that can use * and ?..

Default value

*bolt.connections*,*bolt.messages_received*,*bolt.messages_started*,*dbms.pool.bolt.free,*dbms.pool.bolt.total_size,*dbms.pool.bolt.total_used,*dbms.pool.bolt.used_heap,*cluster.raft.is_leader,*cluster.raft.last_leader_message,*cluster.raft.replication_attempt,*cluster.raft.replication_fail,*cluster.raft.last_applied,*cluster.raft.last_appended,*cluster.raft.append_index,*cluster.raft.commit_index,*cluster.raft.applied_index,*cluster.internal.discovery.memberset.left,*cluster.internal.discovery.crdt.gossip_id_data.size,*cluster.internal.discovery.crdt.server_data.size,*cluster.internal.discovery.crdt.database_data.size,*cluster.internal.discovery.crdt.leader_data.size,*cluster.internal.discovery.crdt.total_merge_operations,*cluster.internal.discovery.crdt.total_update_operations,*cluster.internal.discovery.gossip.incoming_queue_size,*cluster.internal.discovery.gossip.total_received_data,*cluster.internal.discovery.gossip.total_sent_data,*cluster.internal.discovery.gossip.uncontactable_members_exist,*check_point.*,*cypher.replan_events,*cypher.cache*,*ids_in_use*,*pool.transaction.*.total_used,*pool.transaction.*.used_heap,*pool.transaction.*.used_native,*store.size*,*transaction.active_read,*transaction.active_write,*transaction.committed*,*transaction.last_committed_tx_id,*transaction.peak_concurrent,*transaction.rollbacks*,*page_cache.hit*,*page_cache.page_faults,*page_cache.usage_ratio,*vm.file.descriptors.count,*vm.gc.time.*,*vm.heap.used,*vm.memory.buffer.direct.used,*vm.memory.pool.g1_eden_space,*vm.memory.pool.g1_old_gen,*vm.pause_time,*vm.thread*,*db.query.execution*,*protocol*

server.metrics.graphite.enabled

Table 194. server.metrics.graphite.enabled

Description

Set to true to enable exporting metrics to Graphite.

Valid values

A boolean.

Default value

false

server.metrics.graphite.interval

Table 195. server.metrics.graphite.interval

Description

The reporting interval for Graphite. That is, how often to send updated metrics to Graphite.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

30s

server.metrics.graphite.server

Table 196. server.metrics.graphite.server

Description

The hostname or IP address of the Graphite server.

Valid values

A socket address in the format of hostname:port, hostname, or :port. If missing, it is acquired from server.default_listen_address.

Default value

:2003

server.metrics.jmx.enabled

Table 197. server.metrics.jmx.enabled

Description

Set to true to enable the JMX metrics endpoint.

Valid values

A boolean.

Default value

true

server.metrics.prefix

Table 198. server.metrics.prefix

Description

A common prefix for the reported metrics field names.

Valid values

A string.

Default value

neo4j

server.metrics.prometheus.enabled

Table 199. server.metrics.prometheus.enabled

Description

Set to true to enable the Prometheus endpoint.

Valid values

A boolean.

Default value

false

server.metrics.prometheus.endpoint

Table 200. server.metrics.prometheus.endpoint

Description

The hostname and port to use as Prometheus endpoint.

Valid values

A socket address in the format of hostname:port, hostname, or :port. If missing, it is acquired from server.default_listen_address.

Default value

localhost:2004

Neo4j Browser and client settings

Neo4j Browser and client settings apply only to Neo4j Browser and the client.

browser.allow_outgoing_connections

Table 201. browser.allow_outgoing_connections

Description

Configure the policy for outgoing Neo4j Browser connections.

Valid values

A boolean.

Default value

true

browser.credential_timeout

Table 202. browser.credential_timeout

Description

Configure the Neo4j Browser to time out logged in users after this idle period. Setting this to 0 indicates no limit.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

0s

browser.post_connect_cmd

Table 203. browser.post_connect_cmd

Description

Commands to be run when Neo4j Browser successfully connects to this server. Separate multiple commands with semi-colon.

Valid values

A string.

Default value

browser.remote_content_hostname_whitelist

Table 204. browser.remote_content_hostname_whitelist

Description

Whitelist of hosts for the Neo4j Browser to be allowed to fetch content from.

Valid values

A string.

Default value

guides.neo4j.com,localhost

browser.retain_connection_credentials

Table 205. browser.retain_connection_credentials

Description

Configure the Neo4j Browser to store or not store user credentials.

Valid values

A boolean.

Default value

true

browser.retain_editor_history

Table 206. browser.retain_editor_history

Description

Configure the Neo4j Browser to store or not store user editor history.

Valid values

A boolean.

Default value

true

client.allow_telemetry

Table 207. client.allow_telemetry

Description

Configure client applications such as Browser and Bloom to send Product Analytics data.

Valid values

A boolean.

Default value

true

Kubernetes settings

The Kubernetes settings are used to configure a cluster running on Kubernetes, where each server is running as a Kubernetes service. The addresses of the other servers can be obtained using the List Service API, as described in the Kubernetes API documentation. For more information, see Discovery in Kubernetes.

dbms.kubernetes.address

Table 208. dbms.kubernetes.address

Description

Address for Kubernetes API.

Valid values

A socket address in the format of hostname:port, hostname, or :port.

Default value

kubernetes.default.svc:443

dbms.kubernetes.ca_crt

Table 209. dbms.kubernetes.ca_crt

Description

File location of CA certificate for Kubernetes API.

Valid values

A path.

Default value

/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

dbms.kubernetes.cluster_domain

Table 210. dbms.kubernetes.cluster_domain

Description

Kubernetes cluster domain.

Valid values

A string.

Default value

cluster.local

dbms.kubernetes.label_selector

Table 211. dbms.kubernetes.label_selector

Description

LabelSelector for Kubernetes API.

Valid values

A string.

Default value

dbms.kubernetes.namespace

Table 212. dbms.kubernetes.namespace

Description

File location of namespace for Kubernetes API.

Valid values

A path.

Default value

/var/run/secrets/kubernetes.io/serviceaccount/namespace

dbms.kubernetes.service_port_name

Table 213. dbms.kubernetes.service_port_name

Description

Service port name for discovery for Kubernetes API.

Valid values

A string.

Default value

dbms.kubernetes.discovery.v2.service_port_name

Table 214. dbms.kubernetes.discovery.v2.service_port_name

Description

Service port name for Discovery v2 for Kubernetes API.

Valid values

A string.

Default value

transaction

dbms.kubernetes.token

Table 215. dbms.kubernetes.token

Description

File location of token for Kubernetes API.

Valid values

A path.

Default value

/var/run/secrets/kubernetes.io/serviceaccount/token

Security settings

The security settings are used to configure the security of your Neo4j deployment. Refer to the Security section for thorough information on security in Neo4j.

dbms.security.allow_csv_import_from_file_urls

Table 216. dbms.security.allow_csv_import_from_file_urls

Description

Determines if Cypher will allow using file URLs when loading data using LOAD CSV. Setting this value to false will cause Neo4j to fail LOAD CSV clauses that load data from the file system.

Valid values

A boolean.

Default value

true

dbms.security.auth_cache_max_capacity

Table 217. dbms.security.auth_cache_max_capacity

Description

The maximum capacity for authentication and authorization caches (respectively).

Valid values

An integer.

Default value

10000

dbms.security.auth_cache_ttl

Table 218. dbms.security.auth_cache_ttl

Description

The time to live (TTL) for cached authentication and authorization info when using external auth providers (OIDC, LDAP or plugin). Setting the TTL to 0 will disable auth caching. Disabling caching while using the LDAP auth provider requires the use of an LDAP system account for resolving authorization information.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

10m

dbms.security.auth_cache_use_ttl

Table 219. dbms.security.auth_cache_use_ttl

Description

Enable time-based eviction of the authentication and authorization info cache for external auth providers (OIDC, LDAP or plugin). Disabling this setting will make the cache live forever and only be evicted when dbms.security.auth_cache_max_capacity is exceeded.

Valid values

A boolean.

Default value

true

dbms.security.auth_enabled

Table 220. dbms.security.auth_enabled

Description

Enable auth requirement to access Neo4j.

Valid values

A boolean.

Default value

true

dbms.security.auth_minimum_password_length

Table 221. dbms.security.auth_minimum_password_length

Description

The minimum number of characters required in a password.

Valid values

An integer that is minimum 1.

Default value

8

dbms.security.auth_lock_time

Table 222. dbms.security.auth_lock_time

Description

The amount of time user account should be locked after a configured number of unsuccessful authentication attempts. The locked out user will not be able to log in until the lock period expires, even if correct credentials are provided. Setting this configuration option to a low value is not recommended because it might make it easier for an attacker to brute force the password.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 0s.

Default value

5s

dbms.security.auth_max_failed_attempts

Table 223. dbms.security.auth_max_failed_attempts

Description

The maximum number of unsuccessful authentication attempts before imposing a user lock for the configured amount of time, as defined by dbms.security.auth_lock_time.The locked out user will not be able to log in until the lock period expires, even if correct credentials are provided. Setting this configuration option to values less than 3 is not recommended because it might make it easier for an attacker to brute force the password.

Valid values

An integer that is minimum 0.

Default value

3

dbms.security.authentication_providers

Table 224. dbms.security.authentication_providers

Description

A list of security authentication providers containing the users and roles. This can be any of the built-in native or ldap providers, or it can be an externally provided plugin, with a custom name prefixed by plugin-, i.e. plugin-<AUTH_PROVIDER_NAME>. They will be queried in the given order when login is attempted.

Valid values

A comma-separated list where each element is a string.

Default value

native

dbms.security.authorization_providers

Table 225. dbms.security.authorization_providers

Description

A list of security authorization providers containing the users and roles. This can be any of the built-in native or ldap providers, or it can be an externally provided plugin, with a custom name prefixed by plugin-, i.e. plugin-<AUTH_PROVIDER_NAME>. They will be queried in the given order when login is attempted.

Valid values

A comma-separated list where each element is a string.

Default value

native

dbms.security.cluster_status_auth_enabled

Table 226. dbms.security.cluster_status_auth_enabled

Description

Require authorization for access to the Causal Clustering status endpoints.

Valid values

A boolean.

Default value

true

dbms.security.http_access_control_allow_origin

Table 227. dbms.security.http_access_control_allow_origin

Description

Value of the Access-Control-Allow-Origin header sent over any HTTP or HTTPS connector. This defaults to '*', which allows broadest compatibility. Note that any URI provided here limits HTTP/HTTPS access to that URI only.

Valid values

A string.

Default value

*

dbms.security.http_auth_allowlist

Table 228. dbms.security.http_auth_allowlist

Description

Defines an allowlist of http paths where Neo4j authentication is not required.

Valid values

A comma-separated list where each element is a string.

Default value

/,/browser.*

dbms.security.http_strict_transport_security

Table 229. dbms.security.http_strict_transport_security

Description

Value of the HTTP Strict-Transport-Security (HSTS) response header. This header tells browsers that a webpage should only be accessed using HTTPS instead of HTTP. It is attached to every HTTPS response. Setting is not set by default so 'Strict-Transport-Security' header is not sent. Value is expected to contain directives like 'max-age', 'includeSubDomains' and 'preload'.

Valid values

A string.

Default value

dbms.security.http_static_content_security_policy_header

Table 230. dbms.security.http_static_content_security_policy_header

Description

Defines the Content-Security-Policy header to return to content returned on static endpoints.

Valid values

A string.

Default value

default-src 'self'; script-src 'self' cdn.segment.com canny.io; img-src 'self' guides.neo4j.com data:; style-src 'self' fonts.googleapis.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com; base-uri 'none'; object-src 'none'; frame-ancestors 'none'; connect-src 'self' api.canny.io api.segment.io ws: wss: http: https:

dbms.security.key.name

Table 231. dbms.security.key.name

Description

Name of the 256 length AES encryption key, which is used for the symmetric encryption.

Valid values

A string.

Default value

aesKey

dbms.security.keystore.password

Table 232. dbms.security.keystore.password

Description

Password for accessing the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption.

Valid values

A secure string.

Default value

dbms.security.keystore.path

Table 233. dbms.security.keystore.path

Description

Location of the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption of secrets held in system database.

Valid values

A path.

Default value

dbms.security.ldap.authentication.attribute

Table 234. dbms.security.ldap.authentication.attribute

Description

The attribute to use when looking up users. Using this setting requires dbms.security.ldap.authentication.search_for_attribute to be true and thus dbms.security.ldap.authorization.system_username and dbms.security.ldap.authorization.system_password to be configured.

Valid values

A string that matches the pattern [A-Za-z0-9-]* (has to be a valid LDAP attribute name, only containing letters [A-Za-z], digits [0-9] and hyphens [-].).

Default value

samaccountname

dbms.security.ldap.authentication.cache_enabled

Table 235. dbms.security.ldap.authentication.cache_enabled

Description

Determines if the result of authentication via the LDAP server should be cached or not. Caching is used to limit the number of LDAP requests that have to be made over the network for users that have already been authenticated successfully. A user can be authenticated against an existing cache entry (instead of via an LDAP server) as long as it is alive (see dbms.security.auth_cache_ttl). An important consequence of setting this to true is that Neo4j then needs to cache a hashed version of the credentials in order to perform credentials matching. This hashing is done using a cryptographic hash function together with a random salt. Preferably a conscious decision should be made if this method is considered acceptable by the security standards of the organization in that this Neo4j instance is deployed.

Valid values

A boolean.

Default value

true

dbms.security.ldap.authentication.mechanism

Table 236. dbms.security.ldap.authentication.mechanism

Description

LDAP authentication mechanism. This is one of simple or a SASL mechanism supported by JNDI, for example DIGEST-MD5. simple is basic username and password authentication and SASL is used for more advanced mechanisms. See RFC 2251 LDAPv3 documentation for more details.

Valid values

A string.

Default value

simple

dbms.security.ldap.authentication.search_for_attribute

Table 237. dbms.security.ldap.authentication.search_for_attribute

Description

Perform authentication by searching for an unique attribute of a user. Using this setting requires dbms.security.ldap.authorization.system_username and dbms.security.ldap.authorization.system_password to be configured.

Valid values

A boolean.

Default value

false

dbms.security.ldap.authentication.user_dn_template

Table 238. dbms.security.ldap.authentication.user_dn_template

Description

LDAP user DN template. An LDAP object is referenced by its distinguished name (DN), and a user DN is an LDAP fully-qualified unique user identifier. This setting is used to generate an LDAP DN that conforms with the LDAP directory’s schema from the user principal that is submitted with the authentication token when logging in. The special token {0} is a placeholder where the user principal will be substituted into the DN string.

Valid values

A string that Must be a string containing '{0}' to understand where to insert the runtime authentication principal..

Default value

uid={0},ou=users,dc=example,dc=com

dbms.security.ldap.authorization.access_permitted_group

Table 239. dbms.security.ldap.authorization.access_permitted_group

Description

The LDAP group to which a user must belong to get any access to the system.Set this to restrict access to a subset of LDAP users belonging to a particular group. If this is not set, any user to successfully authenticate via LDAP will have access to the PUBLIC role and any other roles assigned to them via dbms.security.ldap.authorization.group_to_role_mapping.

Valid values

A string.

Default value

dbms.security.ldap.authorization.group_membership_attributes

Table 240. dbms.security.ldap.authorization.group_membership_attributes

Description

A list of attribute names on a user object that contains groups to be used for mapping to roles when LDAP authorization is enabled. This setting is ignored when dbms.ldap_authorization_nested_groups_enabled is true.

Valid values

A comma-separated list where each element is a string, which Can not be empty.

Default value

memberOf

dbms.security.ldap.authorization.group_to_role_mapping

Table 241. dbms.security.ldap.authorization.group_to_role_mapping

Description

An authorization mapping from LDAP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the LDAP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5 You could also use whitespaces and quotes around group names to make this mapping more readable, for example:

`dbms.security.ldap.authorization.group_to_role_mapping`=\
         "cn=Neo4j Read Only,cn=users,dc=example,dc=com"      = reader;    \
         "cn=Neo4j Read-Write,cn=users,dc=example,dc=com"     = publisher; \
         "cn=Neo4j Schema Manager,cn=users,dc=example,dc=com" = architect; \
         "cn=Neo4j Administrator,cn=users,dc=example,dc=com"  = admin

Valid values

A string that must be a semicolon-separated list of key-value pairs or empty.

Default value

dbms.security.ldap.authorization.nested_groups_enabled

Table 242. dbms.security.ldap.authorization.nested_groups_enabled

Description

This setting determines whether multiple LDAP search results will be processed (as is required for the lookup of nested groups). If set to true then instead of using attributes on the user object to determine group membership (as specified by dbms.security.ldap.authorization.group_membership_attributes), the user object will only be used to determine the user’s Distinguished Name, which will subsequently be used with dbms.security.ldap.authorization.user_search_filter in order to perform a nested group search. The Distinguished Names of the resultant group search results will be used to determine roles.

Valid values

A boolean.

Default value

false

dbms.security.ldap.authorization.nested_groups_search_filter

Table 243. dbms.security.ldap.authorization.nested_groups_search_filter

Description

The search template which will be used to find the nested groups which the user is a member of. The filter should contain the placeholder token {0} which will be substituted with the user’s Distinguished Name (which is found for the specified user principle using dbms.security.ldap.authorization.user_search_filter). The default value specifies Active Directory’s LDAP_MATCHING_RULE_IN_CHAIN (aka 1.2.840.113556.1.4.1941) implementation which will walk the ancestry of group membership for the specified user.

Valid values

A string.

Default value

(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))

dbms.security.ldap.authorization.system_password

Table 244. dbms.security.ldap.authorization.system_password

Description

An LDAP system account password to use for authorization searches when dbms.security.ldap.authorization.use_system_account is true.

Valid values

A secure string.

Default value

dbms.security.ldap.authorization.system_username

Table 245. dbms.security.ldap.authorization.system_username

Description

An LDAP system account username to use for authorization searches when dbms.security.ldap.authorization.use_system_account is true. Note that the dbms.security.ldap.authentication.user_dn_template will not be applied to this username, so you may have to specify a full DN.

Valid values

A string.

Default value

dbms.security.ldap.authorization.use_system_account

Table 246. dbms.security.ldap.authorization.use_system_account

Description

Perform LDAP search for authorization info using a system account instead of the user’s own account. If this is set to false (default), the search for group membership will be performed directly after authentication using the LDAP context bound with the user’s own account. The mapped roles will be cached for the duration of dbms.security.auth_cache_ttl, and then expire, requiring re-authentication. To avoid frequently having to re-authenticate sessions you may want to set a relatively long auth cache expiration time together with this option.
NOTE: This option will only work if the users are permitted to search for their own group membership attributes in the directory. If this is set to true, the search will be performed using a special system account user with read access to all the users in the directory. You need to specify the username and password using the settings dbms.security.ldap.authorization.system_username and dbms.security.ldap.authorization.system_password with this option. Note that this account only needs read access to the relevant parts of the LDAP directory and does not need to have access rights to Neo4j, or any other systems.

Valid values

A boolean.

Default value

false

dbms.security.ldap.authorization.user_search_base

Table 247. dbms.security.ldap.authorization.user_search_base

Description

The name of the base object or named context to search for user objects when LDAP authorization is enabled. A common case is that this matches the last part of dbms.security.ldap.authentication.user_dn_template.

Valid values

A string that Can not be empty.

Default value

ou=users,dc=example,dc=com

dbms.security.ldap.authorization.user_search_filter

Table 248. dbms.security.ldap.authorization.user_search_filter

Description

The LDAP search filter to search for a user principal when LDAP authorization is enabled. The filter should contain the placeholder token {0} which will be substituted for the user principal.

Valid values

A string.

Default value

(&(objectClass=*)(uid={0}))

dbms.security.ldap.connection_timeout

Table 249. dbms.security.ldap.connection_timeout

Description

The timeout for establishing an LDAP connection. If a connection with the LDAP server cannot be established within the given time the attempt is aborted. A value of 0 means to use the network protocol’s (i.e., TCP’s) timeout value.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

30s

dbms.security.ldap.host

Table 250. dbms.security.ldap.host

Description

URL of LDAP server to use for authentication and authorization. The format of the setting is <protocol>://<hostname>:<port>, where hostname is the only required field. The supported values for protocol are ldap (default) and ldaps. The default port for ldap is 389 and for ldaps 636. For example: ldaps://ldap.example.com:10389. You may want to consider using STARTTLS (dbms.security.ldap.use_starttls) instead of LDAPS for secure connections, in which case the correct protocol is ldap.

Valid values

A string.

Default value

localhost

dbms.security.ldap.read_timeout

Table 251. dbms.security.ldap.read_timeout

Description

The timeout for an LDAP read request (i.e. search). If the LDAP server does not respond within the given time the request will be aborted. A value of 0 means wait for a response indefinitely.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

30s

dbms.security.ldap.referral

Table 252. dbms.security.ldap.referral

Description

The LDAP referral behavior when creating a connection. This is one of follow, ignore or throw.

  • follow automatically follows any referrals

  • ignore ignores any referrals

  • throw throws an exception, which will lead to authentication failure.

Valid values

A string.

Default value

follow

dbms.security.ldap.use_starttls

Table 253. dbms.security.ldap.use_starttls

Description

Use secure communication with the LDAP server using opportunistic TLS. First an initial insecure connection will be made with the LDAP server, and a STARTTLS command will be issued to negotiate an upgrade of the connection to TLS before initiating authentication.

Valid values

A boolean.

Default value

false

dbms.security.log_successful_authentication

Table 254. dbms.security.log_successful_authentication

Description

Set to log successful authentication events to the security log. If this is set to false only failed authentication events will be logged, which could be useful if you find that the successful events spam the logs too much, and you do not require full auditing capability.

Valid values

A boolean.

Default value

true

dbms.security.logs.ldap.groups_at_debug_level_enabled

Table 255. dbms.security.logs.ldap.groups_at_debug_level_enabled

Description

When set to true, will log the groups retrieved from the ldap server. This will only take effect when the security log level is set to DEBUG.WARNING: It is strongly advised that this is set to false when running in a production environment in order to prevent logging of sensitive information.

Valid values

A boolean.

Default value

false

dbms.security.oidc.<provider>.audience

Table 256. dbms.security.oidc.<provider>.audience

Description

Expected values of the Audience (aud) claim in the id token.

Valid values

A comma-separated list where each element is a string, which Can not be empty.

dbms.security.oidc.<provider>.auth_endpoint

Table 257. dbms.security.oidc.<provider>.auth_endpoint

Description

The OIDC authorization endpoint. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

Valid values

a URI

dbms.security.oidc.<provider>.auth_flow

Table 258. dbms.security.oidc.<provider>.auth_flow

Description

The OIDC flow to use. This is exposed to clients via the discovery endpoint. Supported values are pkce and implicit

Valid values

One of [PKCE, IMPLICIT].

Default value

PKCE

dbms.security.oidc.<provider>.auth_params

Table 259. dbms.security.oidc.<provider>.auth_params

Description

Optional additional parameters that the auth endpoint requires. Please use params instead. The map is a semicolon separated list of key-value pairs. For example: k1=v1;k2=v2.

Valid values

A simple key value map pattern k1=v1;k2=v2.

Default value

{}

dbms.security.oidc.<provider>.authorization.group_to_role_mapping

Table 260. dbms.security.oidc.<provider>.authorization.group_to_role_mapping

Description

An authorization mapping from IdP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the IdP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5 You could also use whitespaces and quotes around group names to make this mapping more readable, for example:

dbms.security.oidc.<provider>.authorization.group_to_role_mapping=\
         "Neo4j Read Only"      = reader;    \
         "Neo4j Read-Write"     = publisher; \
         "Neo4j Schema Manager" = architect; \
         "Neo4j Administrator"  = admin

Valid values

A string that must be semicolon-separated list of key-value pairs or empty

dbms.security.oidc.<provider>.claims.groups

Table 261. dbms.security.oidc.<provider>.claims.groups

Description

The claim to use as the list of groups in Neo4j. These could be Neo4J roles directly, or can be mapped using dbms.security.oidc.<provider>.authorization.group_to_role_mapping. From Neo4j 5.4, the JWT claim may also contain a single group returned as A string. as well as a list of groups as was previously required.

Valid values

A string.

dbms.security.oidc.<provider>.claims.username

Table 262. dbms.security.oidc.<provider>.claims.username

Description

The claim to use as the username in Neo4j. This would typically be sub, but in some situations it may be be desirable to use something else such as email.

Valid values

A string.

Default value

sub

dbms.security.oidc.<provider>.client_id

Table 263. dbms.security.oidc.<provider>.client_id

Description

Client id. Not used. This value was previously used to validate the azp claim in the id_token, but this validation has been removed in line with updates to the OIDC specification.

Valid values

A string.

dbms.security.oidc.<provider>.config

Table 264. dbms.security.oidc.<provider>.config

Description

The accepted values (all optional) are:

  • principal: in which JWT claim the user’s email address is specified, email is the default. This is the value that will be shown in browser.

  • code_challenge_method: default is S256 and it’s the only supported method at this moment. This setting applies only for pkce auth flow

  • token_type_principal: the options are almost always either access_token, which is the default, or id_token.

  • token_type_authentication: the options are almost always either access_token, which is the default, or id_token.

  • implicit_flow_requires_nonce: true or false. Defaults to false.

Valid values

A simple key-value map pattern k1=v1;k2=v2. Valid key options are: [implicit_flow_requires_nonce, token_type_authentication, token_type_principal, principal, code_challenge_method].

Default value

{}

dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled

Table 265. dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled

Description

When set to true, it logs the claims from the JWT. This will only take effect when the security log level is set to DEBUG.

It is strongly advised that this is set to false when running in a production environment in order to prevent logging of sensitive information. Also note that the contents of the JWT claims set can change over time because they are dependent entirely upon the ID provider.

Valid values

A boolean.

Default value

false

dbms.security.oidc.<provider>.display_name

Table 266. dbms.security.oidc.<provider>.display_name

Description

The user-facing name of the provider as provided by the discovery endpoint to clients (Bloom, Browser etc.).

Valid values

A string.

dbms.security.oidc.<provider>.get_groups_from_user_info

Table 267. dbms.security.oidc.<provider>.get_groups_from_user_info

Description

When turned on, Neo4j gets the groups from the provider user info endpoint.

Valid values

A boolean.

Default value

false

dbms.security.oidc.<provider>.get_username_from_user_info

Table 268. dbms.security.oidc.<provider>.get_username_from_user_info

Description

When turned on, Neo4j gets the username from the provider user info endpoint.

Valid values

A boolean.

Default value

false

dbms.security.oidc.<provider>.issuer

Table 269. dbms.security.oidc.<provider>.issuer

Description

The expected value of the iss claim in the id token. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

Valid values

A string.

dbms.security.oidc.<provider>.jwks_uri

Table 270. dbms.security.oidc.<provider>.jwks_uri

Description

The location of the JWK public key set for the identity provider. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

Valid values

a URI

dbms.security.oidc.<provider>.params

Table 271. dbms.security.oidc.<provider>.params

Description

The map is a semicolon separated list of key-value pairs. For example: k1=v1;k2=v2. The user should at least provide:

  client_id: the SSO Idp client idenfifier.
  response_type: code if auth_flow is pkce or token for implicit auth_flow.
  scope: often containing a subset of 'email profile openid groups'.

For example: client_id=my-client-id;response_type=code;scope=openid profile email.

Valid values

A simple key-value map pattern k1=v1;k2=v2. Required key options are: [scope, client_id, response_type].

Default value

{}

dbms.security.oidc.<provider>.token_endpoint

Table 272. dbms.security.oidc.<provider>.token_endpoint

Description

The OIDC token endpoint. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

Valid values

a URI

dbms.security.oidc.<provider>.token_params

Table 273. dbms.security.oidc.<provider>.token_params

Description

Optional query parameters that the token endpoint requires. The map is a semicolon separated list of key-value pairs. For example: k1=v1;k2=v2.If the token endpoint requires a client_secret then this parameter should contain client_secret=super-secret

Valid values

A simple key value map pattern k1=v1;k2=v2.

Default value

{}

dbms.security.oidc.<provider>.user_info_uri

Table 274. dbms.security.oidc.<provider>.user_info_uri

Description

The identity providers user info uri.

Valid values

a URI

dbms.security.oidc.<provider>.well_known_discovery_uri

Table 275. dbms.security.oidc.<provider>.well_known_discovery_uri

Description

OpenID Connect Discovery endpoint used to fetch identity provider settings. If not provided, issuer, jwks_uri, auth_endpoint should be present. If the auth_flow is pkce, token_endpoint should also be provided.

Valid values

a URI

dbms.security.procedures.allowlist

Table 276. dbms.security.procedures.allowlist

Description

A list of procedures (comma separated) that are to be loaded. The list may contain both fully-qualified procedure names, and partial names with the wildcard . The default () loads all procedures. If no value is specified, no procedures will be loaded.

Valid values

A comma-separated list where each element is a string.

Default value

*

dbms.security.procedures.unrestricted

Table 277. dbms.security.procedures.unrestricted

Description

A list of procedures and user-defined functions (comma separated) that are allowed full access to the database. The list may contain both fully-qualified procedure names, and partial names with the wildcard *. Note that this enables these procedures to bypass security. Use with caution.

Valid values

A comma-separated list where each element is a string.

Default value

dbms.security.require_local_user

Table 278. dbms.security.require_local_user

Description

This controls if a local user has to be created for external authentication. If set to the default (false), no user has to be created to authenticate with an external authentication provider. If set to true, a user representing the external user must be created before they can authenticate successfully.

Valid values

A boolean.

Default value

false

dbms.netty.ssl.provider

Table 279. dbms.netty.ssl.provider

Description

Netty SSL provider.

Valid values

One of [JDK, OPENSSL, OPENSSL_REFCNT].

Default value

JDK

Server directories settings

The server directories settings can be used to change the default locations of your Neo4j files. For more information, see Default file locations.

server.directories.cluster_state

Table 280. server.directories.cluster_state

Description

Directory to hold cluster state including Raft log.

Valid values

A path. If relative, it is resolved from server.directories.data.

Default value

cluster-state

server.directories.data

Table 281. server.directories.data

Description

Path of the data directory. You must not configure more than one Neo4j installation to use the same data directory.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

data

server.directories.dumps.root

Table 282. server.directories.dumps.root

Description

Root location where Neo4j will store database dumps optionally produced when dropping said databases.

Valid values

A path. If relative, it is resolved from server.directories.data.

Default value

dumps

server.directories.import

Table 283. server.directories.import

Description

Sets the root directory for file URLs used with the Cypher LOAD CSV clause. This should be set to a directory relative to the Neo4j installation path, restricting access to only those files within that directory and its subdirectories. For example the value "import" will only enable access to files within the 'import' folder. Removing this setting will disable the security feature, allowing all files in the local system to be imported. Setting this to an empty field will allow access to all files within the Neo4j installation folder.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

server.directories.lib

Table 284. server.directories.lib

Description

Path of the lib directory.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

lib

server.directories.licenses

Table 285. server.directories.licenses

Description

Path of the licenses directory.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

licenses

server.directories.logs

Table 286. server.directories.logs

Description

Path of the logs directory.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

logs

server.directories.metrics

Table 287. server.directories.metrics

Description

The target location of the CSV files: a path to a directory wherein a CSV file per reported field will be written.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

metrics

server.directories.neo4j_home

Table 288. server.directories.neo4j_home

Description

Root relative to which directory settings are resolved. Calculated and set by the server on startup. Defaults to the current working directory.

Valid values

A path that is absolute.

Default value

server.directories.plugins

Table 289. server.directories.plugins

Description

Location of the database plugin directory. Compiled Java JAR files that contain database procedures will be loaded if they are placed in this directory.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

plugins

server.directories.run

Table 290. server.directories.run

Description

Path of the run directory. This directory holds Neo4j’s runtime state, such as a pidfile when it is running in the background. The pidfile is created when starting neo4j and removed when stopping it. It may be placed on an in-memory filesystem such as tmpfs.

Valid values

A path. If relative, it is resolved from server.directories.neo4j_home.

Default value

run

server.directories.script.root

Table 291. server.directories.script.root

Description

Root location where Neo4j will store scripts for configured databases.

Valid values

A path. If relative, it is resolved from server.directories.data.

Default value

scripts

server.directories.transaction.logs.root

Table 292. server.directories.transaction.logs.root

Description

Root location where Neo4j will store transaction logs for configured databases.

Valid values

A path. If relative, it is resolved from server.directories.data.

Default value

transactions

Server settings

Server settings apply only to the specific server and can be varied between configuration files across a cluster/DBMS.

server.backup.enabled

Table 293. server.backup.enabled

Description

Enable support for running online backups.

Valid values

A boolean.

Default value

true

server.backup.exec_connector.command

Table 294. server.backup.exec_connector.command

Description

Command to execute for ExecDataConnector list

Valid values

A string.

Default value

server.backup.exec_connector.scheme

Table 295. server.backup.exec_connector.scheme

Description

Schemes ExecDataConnector will match on

Valid values

A comma-separated list where each element is a string.

Default value

server.backup.listen_address

Table 296. server.backup.listen_address

Description

Network interface and port for the backup server to listen on.

Valid values

A socket address in the format of hostname:port, hostname, or :port.

Default value

127.0.0.1:6362

server.backup.store_copy_max_retry_time_per_request

Table 297. server.backup.store_copy_max_retry_time_per_request

Description

Maximum retry time per request during store copy. Regular store files and indexes are downloaded in separate requests during store copy. This configures the maximum time failed requests are allowed to resend.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

20m

server.config.strict_validation.enabled

Table 298. server.config.strict_validation.enabled

Description

A strict configuration validation will prevent the database from starting up if unknown configuration options are specified in the neo4j settings namespace (such as dbms., cypher., etc) or if settings are declared multiple times.

Valid values

A boolean.

Default value

true

server.databases.default_to_read_only

Table 299. server.databases.default_to_read_only

Description

Whether or not any database on this instance is read_only by default. If false, individual databases may be marked as read_only using server.database.read_only. If true, individual databases may be marked as writable using server.databases.writable.

Valid values

A boolean.

Default value

false

server.databases.read_only

Table 300. server.databases.read_only

Description

List of databases for which to prevent write queries. Databases not included in this list maybe read_only anyway depending upon the value of server.databases.default_to_read_only.

Valid values

A comma-separated set where each element is a valid database name containing only alphabetic characters, numbers, dots, and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name system.

Default value

server.databases.writable

Table 301. server.databases.writable

Description

List of databases for which to allow write queries. Databases not included in this list will allow write queries anyway, unless server.databases.default_to_read_only is set to true.

Valid values

A comma-separated set where each element is a valid database name containing only alphabetic characters, numbers, dots, and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name system.

Default value

server.dynamic.setting.allowlist

Table 302. server.dynamic.setting.allowlist

Description

A list of setting name patterns (comma separated) that are allowed to be dynamically changed. The list may contain both full setting names, and partial names with the wildcard *. If this setting is left empty all dynamic settings updates will be blocked.

Valid values

A comma-separated list where each element is a string.

Default value

*

server.jvm.additional

Table 303. server.jvm.additional

Description

Additional JVM arguments. Argument order can be significant. To use a Java commercial feature, the argument to unlock commercial features must precede the argument to enable the specific feature in the config value string.

Valid values

One or more jvm arguments.

Default value

server.max_databases

Table 304. server.max_databases

Description

The maximum number of databases.

Valid values

A long that is minimum 2.

Default value

100

Replaced by

server.panic.shutdown_on_panic

Table 305. server.panic.shutdown_on_panic

Description

If there is a Database Management System Panic (an irrecoverable error) should the neo4j process shut down or continue running. Following a DbMS panic it is likely that a significant amount of functionality will be lost. Recovering full functionality will require a Neo4j restart. Default is false except for Neo4j Enterprise Edition deployments running on Kubernetes where it is true.

Valid values

A boolean.

Default value

false

server.threads.worker_count

Table 306. server.threads.worker_count

Description

Number of Neo4j worker threads. This setting is only valid for REST and does not influence bolt-server. It sets the number of worker threads for the Jetty server used by neo4j-server. This option can be tuned when you plan to execute multiple, concurrent REST requests, to get more throughput from the database. Your OS might enforce a lower limit than the maximum value specified here. Number of available processors, or 500 for machines that have more than 500 processors.

Valid values

An integer that is in the range 1 to 44738.

Default value

server.unmanaged_extension_classes

Table 307. server.unmanaged_extension_classes

Description

Comma-separated list of <classname>=<mount point> for unmanaged extensions.

Valid values

A comma-separated list where each element is <classname>=<mount point> string.

Default value

server.windows_service_name

Table 308. server.windows_service_name

Description

Name of the Windows Service managing Neo4j when installed using neo4j install-service. Only applicable on Windows OS.
NOTE: This must be unique for each installation.

Valid values

A string.

Default value

neo4j

Transaction settings

The transaction settings helps you manage the transactions in your database, for example, the transaction timeout, the lock acquisition timeout, the maximum number of concurrently running transactions, etc. For more information, see Manage transactions and Concurrent data access.

db.lock.acquisition.timeout

Table 309. db.lock.acquisition.timeout

Description

The maximum time interval within which lock should be acquired. Zero (default) means the timeout is disabled.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

0s

db.shutdown_transaction_end_timeout

Table 310. db.shutdown_transaction_end_timeout

Description

The maximum amount of time to wait for running transactions to complete before allowing initiated database shutdown to continue.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

10s

db.transaction.bookmark_ready_timeout

Table 311. db.transaction.bookmark_ready_timeout

Description

The maximum amount of time to wait for the database state represented by the bookmark.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) that is minimum 1s.

Default value

30s

db.transaction.concurrent.maximum

Table 312. db.transaction.concurrent.maximum

Description

The maximum number of concurrently running transactions. If set to 0, the limit is disabled.

Valid values

An integer.

Default value

1000

db.transaction.monitor.check.interval

Table 313. db.transaction.monitor.check.interval

Description

Configures the time interval between transaction monitor checks. Determines how often the monitor thread will check a transaction for timeout.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

2s

db.transaction.sampling.percentage

Table 314. db.transaction.sampling.percentage

Description

Transaction sampling percentage.

Valid values

An integer that is in the range 1 to 100.

Default value

5

db.transaction.timeout

Table 315. db.transaction.timeout

Description

The maximum time interval of a transaction within which it should be completed.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

0s

db.transaction.tracing.level

Table 316. db.transaction.tracing.level

Description

Transaction creation tracing level.

Valid values

One of [DISABLED, SAMPLE, ALL].

Default value

DISABLED

server.http.transaction_idle_timeout

Table 317. server.http.transaction_idle_timeout

Description

Timeout for idle transactions in the HTTP Server.
NOTE: This is different from 'db.transaction.timeout' which will timeout the underlying transaction.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

30s

server.queryapi.transaction_idle_timeout

Table 318. server.queryapi.transaction_idle_timeout

Description

Timeout for idle transactions in the Query API.
Note: this is different from 'db.transaction.timeout' which will timeout the underlying transaction.

Valid values

A duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s).

Default value

1m

Transaction log settings

Transaction logs keep the list of transactions that have not yet been applied to the store files. This is necessary for recovery. The following settings configure the number of transaction logs left after a pruning operation and the size of the transaction log files.

db.recovery.fail_on_missing_files

Table 319. db.recovery.fail_on_missing_files

Description

If true, Neo4j will abort recovery if transaction log files are missing. Setting this to false will allow Neo4j to create new empty missing files for the already existing database, but the integrity of the database might be compromised.

Valid values

A boolean.

Default value

true

db.tx_log.buffer.size

Table 320. db.tx_log.buffer.size

Description

On serialization of transaction logs, they will be temporary stored in the byte buffer that will be flushed at the end of the transaction or at any moment when the buffer will be full. By default, the size of the byte buffer is based on the number of available CPU’s with a minimal buffer size of 512KB. Every other 4 CPU’s will add another 512KB into the buffer size. The maximal buffer size in this default scheme is 4MB taking into account that you can have one transaction log writer per database in multi-database env. For example, runtime with 4 CPUs will have the buffer size of 1MB; runtime with 8 CPUs will have the buffer size of 1MB 512KB; runtime with 12 CPUs will have the buffer size of 2MB.

Valid values

A long that is minimum 131072.

Default value

db.tx_log.preallocate

Table 321. db.tx_log.preallocate

Description

Specify if Neo4j should try to preallocate the logical log file in advance. It optimizes file system by ensuring there is room to accommodate newly generated files and avoid file-level fragmentation.

Valid values

A boolean.

Default value

true

db.tx_log.rotation.retention_policy

Table 322. db.tx_log.rotation.retention_policy

Description

Specify how long Neo4j should keep logical transaction logs to backup the database. For example, 10 days prunes logical logs that only contain transactions older than 10 days. Alternatively, 100k txs keeps the 100k latest transactions from each database and prunes any older transactions. From Neo4j 5.9 onwards, you can optionally add a period-based restriction to the size of logs to keep. For example, 2 days 1G prunes logical logs that only contain transactions older than 2 days or are larger than 1G.

Valid values

A string that matches the pattern ^(true|keep_all|false|keep_none|(\d+[KkMmGg]?( (files|size|txs|entries|hours( \d+[KkMmGg]?)?|days( \d+[KkMmGg]?)?))))$ (Must be true or keep_all, false or keep_none, or of format <number><optional unit> <type> <optional space restriction>. Valid units are K, M and G. Valid types are files, size, txs, entries, hours and days. Valid optional space restriction is a logical log space restriction like 100M. For example, 100M size will limit logical log space on disk to 100MiB per database, and 200K txs will limit the number of transactions kept to 200 000 per database.).

Default value

2 days 2G

db.tx_log.rotation.size

Table 323. db.tx_log.rotation.size

Description

Specifies at which file size the logical log will auto-rotate. The minimum accepted value is 128 KiB.

Valid values

A byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) that is minimum 128.00KiB.

Default value

256.00MiB