Audit Logging Reference

AM writes log messages generated from audit events triggered by its components, instances, and other ForgeRock-based stack products.

Audit Log Format

This section presents the audit log format for each topic-based file, event names, and audit constants used in its log messages.

Access Log Format

Access Log Format
Schema PropertyDescription
_id

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

eventName

Specifies the name of the audit event. For example, AM-ACCESS-ATTEMPT and AM-ACCESS-OUTCOME. For a list of audit event names, see "Audit Log Event Names".

transactionId

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID even for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where trusted AM deployment with multiple instances, components, and ForgeRock stack products can propagate the transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

user.id

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingIds

Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. In releases prior to OpenAM 13.0.0, the contextId log property used a random string as an alias for the session ID. The trackingIds property also uses an alias when referring to session IDs, for example, [ "45b17894529cf74301" ].

OpenAM 13.0.0 extended this property to handle OAuth 2.0 tokens. In this case, whenever AM generates an access or grant token, it also generates unique random value and logs it as an alias. In this way, it is possible to trace back an access token back to its originating grant token, trace the grant token back to the session in which it was created, and then trace how the session was authenticated. An example of a trackingIds property in an OAuth 2.0/ OpenID Connect 1.0 environment is: [ "1979edf68543ead001", "8878e51a-f2aa-464f-b1cc-b12fd6daa415", "3df9a5c3-8d1e-4ee3-93d6-b9bbe58163bc" ]

server.ip

Specifies the IP address of the AM server. For example, 127.0.0.1.

server.port

Specifies the port number used by the AM server. For example, 8080.

client.host

Specifies the client hostname. This field is only populated if reverse DNS lookup is enabled.

client.ip

Specifies the client IP address.

client.port

Specifies the client port number.

authorizationId.roles

Specifies the list of roles for the authorized user.

authorizationId.component

Specifies the component part of the authorized ID, such as

request.protocol

Specifies the protocol associated with the request operation. Possible values: CREST and PLL.

request.operation

Specifies the request operation. For Common REST operations, possible values are: READ, ACTION, QUERY.

For PLL operations, possible values are: LoginIndex, SubmitRequirements, GetSession, REQUEST_ADD_POLICY_LISTENER.

request.detail

Specifies the detailed information about the request operation. For example:

  • {"action":"idFromSession"}

  • {"action":"validateGoto"}

  • {"action":"validate"}

  • {"action":"logout"}

  • {"action":"schema"}

  • {"action":"template"}

http.method

Specifies the HTTP method requested by the client. For example, GET, POST, PUT.

http.path

Specifies the path of the HTTP request. For example, https://openam.example.com:8443/openam/json/realms/root/authenticate.

http.queryParameters

Specifies the HTTP query parameter string. For example:

  • { "_action": [ "idFromSession" ] }

  • { "_queryFilter": [ "true" ] }

  • { "_action": [ "validate" ] }

  • { "_action": [ "logout" ] }

  • { "realm": [ "/shop" ] }

  • { "_action": [ "validateGoto" ] }

http.request.headers

Specifies the HTTP header for the request. For example:

{
   "accept":[
      "application/json, text/javascript, */*; q=0.01"
   ],
   "Accept-API-Version":[
      "protocol=1.0"
   ],
   "accept-encoding":[
      "gzip, deflate"
   ],
   "accept-language":[
      "en-US;q=1,en;q=0.9"
   ],
   "cache-control":[
      "no-cache"
   ],
   "connection":[
      "Keep-Alive"
   ],
   "content-length":[
      "0"
   ],
   "host":[
      "forgerock-am.openrock.org"
   ],
   "pragma":[
      "no-cache"
   ],
   "referer":[
      "https://forgerock-am.openrock.org/openam/XUI/"
   ],
   "user-agent":[
      "Mozilla/5.0 (X11; Linux x86_64; rv:31.0)
      Gecko/20100101 Firefox/31.0"
   ],
   "x-nosession":[
      "true"
   ],
   "x-requested-with":[
      "XMLHttpRequest"
   ],
   "x-username":[
      "anonymous"
   ]
}

Note: line feeds and truncated values in the example are for readability purposes.

http.request.cookies

Specifies a JSON map of key-value pairs and appears as its own property to allow for blacklisting fields or values.

http.response.cookies

Not used in AM.

response.status

Specifies the response status of the request. For example, SUCCESS, FAILURE, or null.

response.statusCode

Specifies the response status code, depending on the protocol. For Common REST, HTTP failure codes are displayed but not HTTP success codes. For PLL endpoints, PLL error codes are displayed.

response.detail

Specifies the message associated with response.statusCode. For example, the response.statusCode of 401 has a response.detail of { "reason": "Unauthorized" }.

response.elapsedTime

Specifies the time to execute the access event, usually in millisecond precision.

response.elapsedTimeUnits

Specifies the elapsed time units of the response. For example, MILLISECONDS.

component

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth, Web Policy Agent, or Java Policy Agent.

realm

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/") or the sub-realm name ("/shop").


Activity Log Format

Activity Log Format
PropertyDescription
_id

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-487.

timestamp

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.652Z

eventName

Specifies the name of the audit event. For example, AM-SESSION_CREATED, AM-SESSION-LOGGED_OUT, AM-IDENTITY-CHANGE. For a list of audit event names, see "Audit Log Event Names".

transactionId

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for same even for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

user.id

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingIds

Specifies an array containing a random context ID that identifies the session and a random string generated from an OAuth 2.0/OpenID Connect 1.0 flow that could track an access token ID or an grant token ID. For example, [ "45b17894529cf74301" ].

runAs

Specifies the user to run the activity as. May be used in delegated administration. For example, id=dsameuser,ou=user,dc=example,dc=com.

objectId

Specifies the identifier of an object that has been created, updated, or deleted. For logging sessions, the session trackingId is used in this field. For example, [ "45b17894529cf74301" ]

operation

Specifies the state change operation invoked: CREATE, MODIFY, or DELETE.

before

Not used.

after

Not used.

changedFields

Not used.

revision

Not used.

component

Specifies the AM service utilized. For example, Session or Self-Service.

realm

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/") or the sub-realm name ("/shop").


Authentication Log Format

Authentication Log Format
PropertyDescription
_id

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-485.

timestamp

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.640Z

eventName

Specifies the name of the audit event. For example, AM-LOGOUT and AM-LOGIN-MODULE-COMPLETED. For a list of audit event names, see "Audit Log Event Names".

transactionId

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for same even for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

user.id

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingIds

Specifies an array containing a unique random context ID. For example:

  • For OAuth 2.0/OpenID Connect flows, it identifies the session and a random string generated that can track an access token ID or a grant token ID.

  • For authentication trees, it identifies an authentication tree flow.

result

Depending on the event being logged, specifies the outcome of:

  • A single authentication module within a chain

  • The result for an authentication tree

Possible values are SUCCESSFUL or FAILED.

principal

Specifies the array of accounts used to authenticate, such as [ "amadmin" ] and [ "scarter" ].

context

Not used

entries

Specifies the JSON representation of the details of an authentication module, chain, tree or node. AM creates an event as each module or node completes and a final event at the end of the chain or tree. Examples:

   "entries":[
      {
         "moduleId":"DataStore",
         "info":{
            "moduleClass":"DataStore",
            "ipAddress":"127.0.0.1",
            "moduleName":"DataStore",
            "authLevel":"0"
         }
      }
   ]
  "entries":[
      {
         "info":{
            "nodeOutcome":"true",
            "treeName":"Example",
            "displayName":"Data Store Decision",
            "nodeType":"DataStoreDecisionNode",
            "nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
            "authLevel":"0"
         }
      }
   ]
component

Specifies the AM service utilized. For example, Authentication.

realm

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/") or the sub-realm name ("/shop").


Config Log Format

Config Log Format
PropertyDescription
_id

Specifies a universally unique identifier (UUID) for the message object. For example, 6a568d4fe-d655-49a8-8290-bfc02095bec9-843.

timestamp

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example, 2015-11-14T00:21:03.490Z

eventName

Specifies the name of the audit event. For example, AM-CONFIG-CHANGE. For a list of audit event names, see "Audit Log Event Names".

transactionId

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 301d1a6e-67f9-4e45-bfeb-5e4047a8b432.

user.id

Not used. You can determine the value for this field by linking to the access event using the same transactionId.

trackingIds

Not used.

runAs

Specifies the user to run the activity as. May be used in delegated administration. For example, uid=amAdmin,ou=People,dc=example,dc=com.

objectId

Specifies the identifier of a system object that has been created, modified, or deleted. For example, ou=SamuelTwo,ou=default,ou=OrganizationConfig,ou=1.0, ou=iPlanetAMAuthSAML2Service,ou=services,o=shop,ou=services, dc=example,dc=com.

operation

Specifies the state change operation invoked: CREATE, MODIFY, or DELETE.

before

Specifies the JSON representation of the object prior to the activity. For example:

{
   "sunsmspriority":[
      "0"
   ],
   "objectclass":[
      "top",
      "sunServiceComponent",
      "organizationalUnit"
   ],
   "ou":[
      "SamuelTwo"
   ],
   "sunserviceID":[
      "serverconfig"
   ]
}
after

Specifies the JSON representation of the object after the activity. For example:

{
 "sunKeyValue":[
      "forgerock-am-auth-saml2-auth-level=0",
      "forgerock-am-auth-saml2-meta-alias=/sp",
      "forgerock-am-auth-saml2-entity-name=http://",
      "forgerock-am-auth-saml2-authn-context-decl-ref=",
      "forgerock-am-auth-saml2-force-authn=none",
      "forgerock-am-auth-saml2-is-passive=none",
      "forgerock-am-auth-saml2-login-chain=",
      "forgerock-am-auth-saml2-auth-comparison=none",
      "forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
      "forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
      "forgerock-am-auth-saml2-authn-context-class-ref=",
      "forgerock-am-auth-saml2-slo-relay=http://",
      "forgerock-am-auth-saml2-allow-create=false",
      "forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
   ]
}
changedFields

Specifies the fields that were changed. For example, [ "sunKeyValue" ].

revision

Not used.

component

Not used.

realm

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/") or the sub-realm name ("/shop").


Audit Log Event Names

The following section presents the predefined names for the audit events:

Audit Log Event Names
TopicEventName
accessAM-ACCESS_ATTEMPT
accessAM-ACCESS-OUTCOME
activityAM-BACK-CHANNEL-LOGOUT
activityAM-SELFSERVICE-REGISTRATION-COMPLETED
activityAM-SELFSERVICE-PASSWORDCHANGE-COMPLETED
activityAM-SESSION-CREATED
activityAM-SESSION-IDLE_TIME_OUT
activityAM-SESSION-MAX_TIMED_OUT
activityAM-SESSION-LOGGED_OUT
activityAM-SESSION-DESTROYED
activityAM-SESSION-PROPERTY_CHANGED
activityAM-IDENTITY-CHANGE
activityAM-GROUP-CHANGE
activityAM-TOKEN-EXCHANGE
authenticationAM-LOGOUT
authenticationAM-LOGIN-COMPLETED
authenticationAM-LOGIN-MODULE-COMPLETED
authenticationAM-NODE-LOGIN-COMPLETED
authenticationAM-TREE-LOGIN-COMPLETED
configAM-CONFIG-CHANGE

Audit Log Components

The following section presents the predefined audit event components that make up the log messages:

Audit Log Event Components
Event ComponentAM Component, Service, or Feature
OAuth

OAuth 2.0, OpenID Connect 1.0, and UMA

CTS

Core Token Service

AM Agents

Web and Java agents

Authentication

Authentication service

Dashboard

Dashboard service

Server Info

Server information service

Users

Users component

Groups

Groups component

Oath

Mobile authentication

Devices

Trusted devices

Policy

Policies

Realms

Realms and sub-realms

Session

Session service

Script

Scripting service

Batch

Batch service

Config

Configuration

STS

Secure Token Service: REST and SOAP

Record

Recording service

Audit

Auditing service

Radius

RADIUS server

Self-Service

User Self-Service service

ssoadm

ssoadm command

SAML2

SAML v2.0

Push

Push Notification service


Audit Log Failure Reasons

The following section presents the predefined audit event failure reasons:

Audit Log Event Authentication Failure Reasons
FailureDescription
LOGIN_FAILED

Incorrect/invalid credentials presented.

INVALID_PASSWORD

Invalid credentials entered.

NO_CONFIG

Authentication chain does not exist.

NO_USER_PROFILE

No user profile found for this user.

USER_INACTIVE

User is not active.

LOCKED_OUT

Maximum number of failure attempts exceeded. User is locked out.

ACCOUNT_EXPIRED

User account has expired.

LOGIN_TIMEOUT

Login timed out.

MODULE_DENIED

Authentication module is denied.

MAX_SESSION_REACHED

Limit for maximum number of allowed sessions has been reached.

INVALID_REALM

Realm does not exist.

REALM_INACTIVE

Realm is not active.

USER_NOTE_FOUND

Role-based authentication: user does not belong to this role.

AUTH_TYPE_DENIED

Authentication type is denied.

SESSION_CREATE_ERROR

Cannot create a session.

INVALID_LEVEL

Level-based authentication: Invalid authentication level.


Audit Log Default Whitelist

When an object is passed in an audit event, it might contain information that should not be logged. By default, the AM uses a whitelist to specify which fields of the event appear.

The following fields appear on the default, built in whitelist. This lists specifies each field by its JSON path. If a whitelisted field contains an object, then listing the field means the whole object is whitelisted:

Default Access Log Whitelist
  • /_id

  • /client

  • /eventName

  • /http/request/headers/accept

  • /http/request/headers/accept-api-version

  • /http/request/headers/content-type

  • /http/request/headers/host

  • /http/request/headers/user-agent

  • /http/request/headers/x-forwarded-for

  • /http/request/headers/x-forwarded-host

  • /http/request/headers/x-forwarded-port

  • /http/request/headers/x-forwarded-proto

  • /http/request/headers/x-original-uri

  • /http/request/headers/x-real-ip

  • /http/request/headers/x-request-id

  • /http/request/headers/x-requested-with

  • /http/request/headers/x-scheme

  • /http/request/method

  • /http/request/path

  • /http/request/queryParameters/authIndexType

  • /http/request/queryParameters/authIndexValue

  • /http/request/queryParameters/composite_advice

  • /http/request/queryParameters/level

  • /http/request/queryParameters/module_instance

  • /http/request/queryParameters/resource

  • /http/request/queryParameters/role

  • /http/request/queryParameters/service

  • /http/request/queryParameters/user

  • /http/request/secure

  • /request

  • /response

  • /server

  • /timestamp

  • /trackingIds

  • /transactionId

  • /userId

Default Activity Log Whitelist
  • /_id

  • /after/assignedDashboard

  • /after/cn

  • /after/commonName

  • /after/givenName

  • /after/inetUserStatus

  • /after/iplanet-am-user-alias-list

  • /after/iplanet-am-user-login-status

  • /after/kbaInfoAttempts

  • /after/memberof

  • /after/o

  • /after/oath2faEnabled

  • /after/objectClass

  • /after/organizationName

  • /after/organizationUnitName

  • /after/ou

  • /after/push2faEnabled

  • /after/sn

  • /after/sunAMAuthInvalidAttemptsData

  • /after/surname

  • /after/uid

  • /after/uniqueMember

  • /after/userid

  • /before/assignedDashboard

  • /before/cn

  • /before/commonName

  • /before/givenName

  • /before/inetUserStatus

  • /before/iplanet-am-user-alias-list

  • /before/iplanet-am-user-login-status

  • /before/kbaInfoAttempts

  • /before/memberof

  • /before/o

  • /before/oath2faEnabled

  • /before/objectClass

  • /before/organizationName

  • /before/organizationUnitName

  • /before/ou

  • /before/push2faEnabled

  • /before/sn

  • /before/sunAMAuthInvalidAttemptsData

  • /before/surname

  • /before/uid

  • /before/uniqueMember

  • /before/userid

  • /changedFields

  • /component

  • /component

  • /eventName

  • /objectId

  • /operation

  • /realm

  • /realm

  • /revision

  • /runAs

  • /timestamp

  • /trackingIds

  • /transactionId

  • /userId

Default Authentication Log Whitelist
  • /

Default Config Log Whitelist
  • /_id

  • /changedFields

  • /component

  • /eventName

  • /objectId

  • /operation

  • /realm

  • /revision

  • /runAs

  • /timestamp

  • /trackingIds

  • /transactionId

  • /userId

JDBC Audit Log Tables

AM writes audit events to relational databases using the JDBC audit event handler. This section presents the columns for each audit table.

am_auditaccess

am_auditaccess
ColumnDatatypeDescription
idVARCHAR(56) NOT NULL

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_VARCHAR(29) NULL

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

transactionidVARCHAR(255) NULL

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventnameVARCHAR(255)

Specifies the name of the audit event. For example, AM-ACCESS-ATTEMPT and AM-ACCESS-OUTCOME. For a list of audit event names, see "Audit Log Event Names".

useridVARCHAR(255) NULL

Specifies the universal identifier for the authenticated user. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingidsMEDIUMTEXT

Specifies the tracking IDs of the event, used by all topics.

server_ipVARCHAR(40)

Specifies the IP address of the AM server.

server_portVARCHAR(5)

Specifies the port number used by the AM server. For example, 8080.

client_hostVARCHAR(255)

Specifies the client hostname. This column is only populated if reverse DNS lookup is enabled.

client_ipVARCHAR(40)

Specifies the client IP address.

client_portVARCHAR(5)

Specifies the client port number.

request_protocolVARCHAR(255) NULL

Specifies the protocol associated with the request operation. Possible values: CREST and PLL.

request_operationVARCHAR(255) NULL

Specifies the request operation. For Common REST operations, possible values: READ, ACTION, QUERY.

For PLL operations, possible values: LoginIndex, SubmitRequirements, GetSession, REQUEST_ADD_POLICY_LISTENER.

request_detailTEXT NULL

Specifies the detailed information about the request operation. For example:

  • {"action":"idFromSession"}

  • {"action":"validateGoto"}

  • {"action":"validate"}

  • {"action":"logout"}

  • {"action":"schema"}

  • {"action":"template"}

http_request_secureBOOLEAN NULL

Specifies the HTTP method requested by the client. For example, trueT or false. Note that false does not mean the client connection is insecure as there may be a reverse proxy terminating the HTTPS connection.

http_request_methodVARCHAR(7) NULL

Specifies the HTTP method requested by the client. For example, GET, POST, PUT.

http_request_pathVARCHAR(255) NULL

Specifies the path of the HTTP request. For example, https://openam.example.com:8443/openam/json/realms/root/authenticate.

http_request_queryparametersMEDIUMTEXT NULL

Specifies the HTTP query parameter string. For example:

  • { "_action": [ "idFromSession" ] }

  • { "_queryFilter": [ "true" ] }

  • { "_action": [ "validate" ] }

  • { "_action": [ "logout" ] }

  • { "realm": [ "/shop" ] }

  • { "_action": [ "validateGoto" ] }

http_request_headersMEDIUMTEXT NULL

Specifies the HTTP headers for the request. For example:

{
   "accept":[
      "application/json, text/javascript, */*; q=0.01"
   ],
   "Accept-API-Version":[
      "protocol=1.0"
   ],
   "accept-encoding":[
      "gzip, deflate"
   ],
   "accept-language":[
      "en-US;q=1,en;q=0.9"
   ],
   "cache-control":[
      "no-cache"
   ],
   "connection":[
      "Keep-Alive"
   ],
   "content-length":[
      "0"
   ],
   "host":[
      "forgerock-am.openrock.org"
   ],
   "pragma":[
      "no-cache"
   ],
   "referer":[
      "https://forgerock-am.openrock.org/openam/XUI/"
   ],
   "user-agent":[
      "Mozilla/5.0 (X11; Linux x86_64; rv:31.0)
      Gecko/20100101 Firefox/31.0"
   ],
   "x-nosession":[
      "true"
   ],
   "x-requested-with":[
      "XMLHttpRequest"
   ],
   "x-username":[
      "anonymous"
   ]
}

Note: line feeds and truncated values in the example are for readability purposes.

http_request_cookiesMEDIUMTEXT NULL

Specifies a JSON map of key-value pairs and appears as its own property to allow for blacklisting fields or values. For example:

"cookies": "amlbcookie=01; iPlanetDirectoryPro=\"AQIC5wM2LY....*AAJTSQACMfwT...*\"; iPlanetDirectoryPro=eyJ0eXAiOiJK....eyJzdWIiOiJkZ..."

Note: line feeds and truncated values in the example are for readability purposes.

http_response_headersMEDIUMTEXT NULL

Captures the headers returned by AM to the client (that is, the inverse of http_request_headers. Note that AM does not currently populate this field.

response_statusVARCHAR(10) NULL

Specifies the response status of the request. For example, SUCCESS, FAILURE, ALLOWED, DENIED, or NULL.

response_statuscodeVARCHAR(255) NULL

Specifies the response status code, depending on the protocol. For Common REST, HTTP failure codes are displayed but not HTTP success codes. For PLL endpoints, PLL error codes are displayed.

response_detailTEXT NULL

Specifies the message associated with the response status code. For example, a response status code of 401 has a response detail of { "reason": "Unauthorized" }.

response_elapsedtimeVARCHAR(255) NULL

Specifies the time to execute the access event, usually in millisecond precision.

response_elapsedtimeunitsVARCHAR(255) NULL

Specifies the elapsed time units of the response. For example, MILLISECONDS.

componentVARCHAR(255) NULL

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realmVARCHAR(255) NULL

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/") or the sub-realm name ("/shop").


am_auditauthentication

am_auditauthentication
ColumnDatatypeDescription
idVARCHAR(56) NOT NULL

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_VARCHAR(29) NULL

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

transactionidVARCHAR(255) NULL

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventnameVARCHAR(255) NULL

Specifies the name of the audit event. For example, AM-LOGIN-MODULE-COMPLETED and AM-LOGOUT. For a list of audit event names, see "Audit Log Event Names".

useridVARCHAR(255) NULL

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingidsMEDIUMTEXT

Specifies the tracking IDs of the event, used by all topics.

resultVARCHAR(255) NULL

Depending on the event being logged, specifies the outcome of:

  • A single authentication module within a chain

  • The result for an authentication tree

Possible values are SUCCESSFUL or FAILED.

principalsMEDIUMTEXT

Specifies the array of accounts used to authenticate, such as [ "amadmin" ] and [ "scarter" ].

contextN/A

MEDIUMTEXT. Not used.

entriesMEDIUMTEXT

Specifies the JSON representation of the details of an authentication module, chain, tree or node. AM creates an event as each module or node completes and a final event at the end of the chain or tree. For example:

   "entries":[
      {
         "moduleId":"DataStore",
         "info":{
            "moduleClass":"DataStore",
            "ipAddress":"127.0.0.1",
            "moduleName":"DataStore",
            "authLevel":"0"
         }
      }
   ]
  "entries":[
      {
         "info":{
            "nodeOutcome":"true",
            "treeName":"Example",
            "displayName":"Data Store Decision",
            "nodeType":"DataStoreDecisionNode",
            "nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
            "authLevel":"0"
         }
      }
   ]
componentVARCHAR(255) NULL

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realmVARCHAR(255) NULL

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/") or the sub-realm name ("/shop").


am_auditactivity

am_auditactivity
ColumnDatatypeDescription
idVARCHAR(56) NOT NULL

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_VARCHAR(29) NOT NULL

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

transactionidVARCHAR(255) NULL

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventnameVARCHAR(255) NULL

Specifies the name of the audit event. For example, AM-SESSION-CREATED and AM-SESSION-DESTROYED. For a list of audit event names, see "Audit Log Event Names".

useridVARCHAR(255) NULL

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingidsMEDIUMTEXT

Specifies the tracking IDs of the event, used by all topics.

runasVARCHAR(255) NULL

Specifies the user to run the activity as. May be used in delegated administration. For example, uid=amAdmin,ou=People,dc=example,dc=com.

objectidVARCHAR(255) NULL

Specifies the identifier of a system object that has been created, modified, or deleted. For example, ou=SamuelTwo,ou=default,ou=OrganizationConfig,ou=1.0, ou=iPlanetAMAuthSAML2Service,ou=services,o=shop,ou=services, dc=example,dc=com.

operationVARCHAR(255) NULL

Specifies the state change operation invoked: CREATE, MODIFY, or DELETE.

beforeObjectMEDIUMTEXT NULL

Specifies the JSON representation of the object prior to the activity. For example:

{
   "sunsmspriority":[
      "0"
   ],
   "objectclass":[
      "top",
      "sunServiceComponent",
      "organizationalUnit"
   ],
   "ou":[
      "SamuelTwo"
   ],
   "sunserviceID":[
      "serverconfig"
   ]
}
afterObjectMEDIUMTEXT NULL

Specifies the JSON representation of the object after the activity. For example:

{
  "sunKeyValue":[
      "forgerock-am-auth-saml2-auth-level=0",
      "forgerock-am-auth-saml2-meta-alias=/sp",
      "forgerock-am-auth-saml2-entity-name=http://",
      "forgerock-am-auth-saml2-authn-context-decl-ref=",
      "forgerock-am-auth-saml2-force-authn=none",
      "forgerock-am-auth-saml2-is-passive=none",
      "forgerock-am-auth-saml2-login-chain=",
      "forgerock-am-auth-saml2-auth-comparison=none",
      "forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
      "forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
      "forgerock-am-auth-saml2-authn-context-class-ref=",
      "forgerock-am-auth-saml2-slo-relay=http://",
      "forgerock-am-auth-saml2-allow-create=false",
      "forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
   ]
}
changedfieldsVARCHAR(255) NULL

Specifies the columns that were changed. For example, [ "sunKeyValue" ].

revVARCHAR(255) NULL

Not used.

componentVARCHAR(255) NULL

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realmVARCHAR(255) NULL

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/") or the sub-realm name ("/shop").


am_auditconfig

am_auditconfig
ColumnDatatypeDescription
idVARCHAR(56) NOT NULL

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_VARCHAR(29) NULL

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

transactionidVARCHAR(255) NULL

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventnameVARCHAR(255) NULL

Specifies the name of the audit event. For example, AM-CONFIG-CHANGE. For a list of audit event names, see "Audit Log Event Names".

useridVARCHAR(255) NULL

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingidsMEDIUMTEXT

Specifies the tracking IDs of the event, used by all topics.

runasVARCHAR(255) NULL

Specifies the user to run the activity as. May be used in delegated administration. For example, uid=amAdmin,ou=People,dc=example,dc=com.

objectidVARCHAR(255) NULL

Specifies the identifier of a system object that has been created, modified, or deleted. For example, ou=SamuelTwo,ou=default,ou=OrganizationConfig,ou=1.0, ou=iPlanetAMAuthSAML2Service,ou=services,o=shop,ou=services, dc=example,dc=com.

operationVARCHAR(255) NULL

Specifies the state change operation invoked: CREATE, MODIFY, or DELETE.

beforeObjectMEDIUMTEXT NULL

Specifies the JSON representation of the object prior to the activity. For example:

{
   "sunsmspriority":[
      "0"
   ],
   "objectclass":[
      "top",
      "sunServiceComponent",
      "organizationalUnit"
   ],
   "ou":[
      "SamuelTwo"
   ],
   "sunserviceID":[
      "serverconfig"
   ]
}
afterObjectMEDIUMTEXT NULL

Specifies the JSON representation of the object after the activity. For example:

{
  "sunKeyValue":[
      "forgerock-am-auth-saml2-auth-level=0",
      "forgerock-am-auth-saml2-meta-alias=/sp",
      "forgerock-am-auth-saml2-entity-name=http://",
      "forgerock-am-auth-saml2-authn-context-decl-ref=",
      "forgerock-am-auth-saml2-force-authn=none",
      "forgerock-am-auth-saml2-is-passive=none",
      "forgerock-am-auth-saml2-login-chain=",
      "forgerock-am-auth-saml2-auth-comparison=none",
      "forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
      "forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
      "forgerock-am-auth-saml2-authn-context-class-ref=",
      "forgerock-am-auth-saml2-slo-relay=http://",
      "forgerock-am-auth-saml2-allow-create=false",
      "forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
   ]
}
changedfieldsVARCHAR(255) NULL

Specifies the columns that were changed. For example, [ "sunKeyValue" ].

revVARCHAR(255)

Not used.

componentVARCHAR(255) NULL

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realmVARCHAR(255) NULL

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/") or the sub-realm name ("/shop").


Read a different version of :