AM 7.2.0

Legacy logging service

AM supports two audit logging services: a legacy logging service based on a Java SDK (available in AM versions prior to AM 5.0) and a common REST-based audit logging service. The legacy logging service is deprecated.

To configure AM logging properties, in the AM admin UI, go to Configure > Global Services > Logging.

For more information on the available settings, see Audit Logging reference.

Log to flat files

By default, AM audit logs are written to files in the instance’s configuration directory, such as $HOME/openam/log/.

AM sends messages to different log files, each named after the service logging the message, with two different types log files per service: .access and.error. Thus, the current log files for the authentication service are named amAuthentication.access and amAuthentication.error.

For details, see Log files and messages.

Log to a syslog server

AM supports sending audit log messages to a syslog server for collation.

You can enable syslog audit logging by using the AM admin UI, or the ssoadm command.

Syslog logging (UI)

  1. In the AM admin UI, go to Configure > Global Services > Logging.

  2. On the Syslog tab, configure the following settings as appropriate for your syslog server, and save your changes:

    • Syslog server host

    • Syslog server port

    • Syslog server protocol

    • Syslog facility

    • Syslog connection timeout

    For information on these settings, see Logging.

  3. On the General tab, set the Logging Type drop-down list to Syslog, and save your changes.

Syslog logging (ssoadm)

  1. Create a text file, for example, MySyslogServerSettings.txt, containing the settings used when audit logging to a syslog server:

    iplanet-am-logging-syslog-port=514
    iplanet-am-logging-syslog-protocol=UDP
    iplanet-am-logging-type=Syslog
    iplanet-am-logging-syslog-connection-timeout=30
    iplanet-am-logging-syslog-host=localhost
    iplanet-am-logging-syslog-facility=local5
  2. Use the following ssoadm command to configure audit logging to a syslog server:

    $ ssoadm \
      set-attr-defs \
      --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
      --password-file /tmp/pwd.txt \
      --servicename iPlanetAMLoggingService \
      --schematype Global \
      --datafile MySyslogServerSettings.txt
    Schema attribute defaults were set.
Copyright © 2010-2022 ForgeRock, all rights reserved.