Log Files
This section describes the different classic Logging Service log files.
Audit Log Files
This chapter describes classic Logging Service audit log files:
Audit logs record information about events. You can adjust the amount of detail in the administrative logs under Configuration > System > Logging.
- amAuthentication.access
Contains log data for when users log into and out of an instance, including failed authentications
- amAuthentication.error
Contains log data about errors encountered when users login and out of an instance
- amConsole.access
Contains data about actions run as the administrator in the console, including changes to realms and policies
- amConsole.error
Contains data on errors encountered during administrator sessions
- amPolicy.access
Contains data about authorization actions permitted by policies, including policy creation, removal, or modification
- amPolicy.error
Contains data on errors encountered during actions related to the policy
- amPolicyDelegation.access
Contains data about actions as part of the policy delegation, including any changes to the delegation
- amRemotePolicy.access
Contains data about policies accessed remotely
- amRest.access
Contains data about access to REST endpoints
- amRest.authz
Contains data about authorizations to access REST endpoints
- amSSO.access
Contains data about user sessions, including times of access, session time outs, session creation, and session termination for stateful sessions; contains data about session creation and session termination for stateless sessions
- CoreToken.access
Contains data about actions run against the core token
- CoreToken.error
Contains data on errors encountered regarding the core token
- COT.access
Contains data about the circle of trust
- COT.error
Contains data on errors encountered for the circle of trust
- Entitlement.access
Contains data about entitlement actions or changes
- OAuth2Provider.access
Contains data about actions for the OAuth 2.0 provider
- OAuth2Provider.error
Contains data about errors encountered by the OAuth 2.0 provider
- SAML2.access
Contains data about SAML 2 actions, including changes to assertions, artifacts, response, and requests
- SAML2.error
Contains data about errors encountered during SAML 2 actions
- SAML.access
Contains data about SAML actions, including changes to assertions, artifacts, response, and requests
- SAML.error
Contains data about errors encountered during SAML actions
- ssoadm.access
Contains data about actions completed for SSO as admin
- WebServicesSecurity.access
Contains data about activity for Web Services Security
- WebServicesSecurity.error
Contains data on errors encountered by Web Services Security
- WSFederation.access
Contains data about activity for WS Federation, including changes and access information
- WSFederation.error
Contains data on errors encountered during WS Federation
Audit Logging Reference
AM writes log messages generated from audit events triggered by its components, instances, and other ForgeRock-based stack products.
Audit Log Format
This section presents the audit log format for each topic-based file, event names, and audit constants used in its log messages.
Access Log Format
| Schema Property | Description |
|---|---|
_id | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
eventName | Specifies the name of the audit event. For example, |
transactionId | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID even for different audit event topics. For example, AM supports a feature where trusted AM deployment with multiple instances, components, and ForgeRock stack products can propagate the transaction ID through each call across the stack. AM reads the |
user.id | Specifies the universal identifier for authenticated users. For example, |
trackingIds | Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. In releases prior to OpenAM 13.0.0, the OpenAM 13.0.0 extended this property to handle OAuth 2.0 tokens. In this case, whenever AM generates an access or grant token, it also generates unique random value and logs it as an alias. In this way, it is possible to trace back an access token back to its originating grant token, trace the grant token back to the session in which it was created, and then trace how the session was authenticated. An example of a |
server.ip | Specifies the IP address of the AM server. For example, |
server.port | Specifies the port number used by the AM server. For example, |
client.host | Specifies the client hostname. This field is only populated if reverse DNS lookup is enabled. |
client.ip | Specifies the client IP address. |
client.port | Specifies the client port number. |
authorizationId.roles | Specifies the list of roles for the authorized user. |
authorizationId.component | Specifies the component part of the authorized ID, such as |
request.protocol | Specifies the protocol associated with the request operation. Possible values: |
request.operation | Specifies the request operation. For Common REST operations, possible values are: For PLL operations, possible values are: |
request.detail | Specifies the detailed information about the request operation. For example:
|
http.method | Specifies the HTTP method requested by the client. For example, |
http.path | Specifies the path of the HTTP request. For example, |
http.queryParameters | Specifies the HTTP query parameter string. For example:
|
http.request.headers | Specifies the HTTP header for the request. For example:
{
"accept":[
"application/json, text/javascript, */*; q=0.01"
],
"Accept-API-Version":[
"protocol=1.0"
],
"accept-encoding":[
"gzip, deflate"
],
"accept-language":[
"en-US;q=1,en;q=0.9"
],
"cache-control":[
"no-cache"
],
"connection":[
"Keep-Alive"
],
"content-length":[
"0"
],
"host":[
"forgerock-am.openrock.org"
],
"pragma":[
"no-cache"
],
"referer":[
"https://forgerock-am.openrock.org/openam/XUI/"
],
"user-agent":[
"Mozilla/5.0 (X11; Linux x86_64; rv:31.0)
Gecko/20100101 Firefox/31.0"
],
"x-nosession":[
"true"
],
"x-requested-with":[
"XMLHttpRequest"
],
"x-username":[
"anonymous"
]
}
Note: line feeds and truncated values in the example are for readability purposes. |
http.request.cookies | Specifies a JSON map of key-value pairs and appears as its own property to allow for blacklisting fields or values. |
http.response.cookies | Not used in AM. |
response.status | Specifies the response status of the request. For example, |
response.statusCode | Specifies the response status code, depending on the protocol. For Common REST, HTTP failure codes are displayed but not HTTP success codes. For PLL endpoints, PLL error codes are displayed. |
response.detail | Specifies the message associated with |
response.elapsedTime | Specifies the time to execute the access event, usually in millisecond precision. |
response.elapsedTimeUnits | Specifies the elapsed time units of the response. For example, |
component | Specifies the AM service utilized. For example, |
realm | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
Activity Log Format
| Property | Description |
|---|---|
_id | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
eventName | Specifies the name of the audit event. For example, |
transactionId | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for same even for different audit event topics. For example, |
user.id | Specifies the universal identifier for authenticated users. For example, |
trackingIds | Specifies an array containing a random context ID that identifies the session and a random string generated from an OAuth 2.0/OpenID Connect 1.0 flow that could track an access token ID or an grant token ID. For example, |
runAs | Specifies the user to run the activity as. May be used in delegated administration. For example, |
objectId | Specifies the identifier of an object that has been created, updated, or deleted. For logging sessions, the session |
operation | Specifies the state change operation invoked: |
before | Not used. |
after | Not used. |
changedFields | Not used. |
revision | Not used. |
component | Specifies the AM service utilized. For example, |
realm | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
Authentication Log Format
| Property | Description |
|---|---|
_id | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
eventName | Specifies the name of the audit event. For example, |
transactionId | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for same even for different audit event topics. For example, |
user.id | Specifies the universal identifier for authenticated users. For example, |
trackingIds | Specifies an array containing a unique random context ID. For example:
|
result | Depending on the event being logged, specifies the outcome of:
Possible values are |
principal | Specifies the array of accounts used to authenticate, such as |
context | Not used |
entries | Specifies the JSON representation of the details of an authentication module, chain, tree or node. AM creates an event as each module or node completes and a final event at the end of the chain or tree. Examples:
"entries":[
{
"moduleId":"DataStore",
"info":{
"moduleClass":"DataStore",
"ipAddress":"127.0.0.1",
"moduleName":"DataStore",
"authLevel":"0"
}
}
]
"entries":[
{
"info":{
"nodeOutcome":"true",
"treeName":"Example",
"displayName":"Data Store Decision",
"nodeType":"DataStoreDecisionNode",
"nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
"authLevel":"0"
}
}
]
|
component | Specifies the AM service utilized. For example, |
realm | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
Config Log Format
| Property | Description |
|---|---|
_id | Specifies a universally unique identifier (UUID) for the message object. For example, |
timestamp | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
eventName | Specifies the name of the audit event. For example, |
transactionId | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, |
user.id | Not used. You can determine the value for this field by linking to the access event using the same |
trackingIds | Not used. |
runAs | Specifies the user to run the activity as. May be used in delegated administration. For example, |
objectId | Specifies the identifier of a system object that has been created, modified, or deleted. For example, |
operation | Specifies the state change operation invoked: |
before | Specifies the JSON representation of the object prior to the activity. For example:
{
"sunsmspriority":[
"0"
],
"objectclass":[
"top",
"sunServiceComponent",
"organizationalUnit"
],
"ou":[
"SamuelTwo"
],
"sunserviceID":[
"serverconfig"
]
}
|
after | Specifies the JSON representation of the object after the activity. For example:
{
"sunKeyValue":[
"forgerock-am-auth-saml2-auth-level=0",
"forgerock-am-auth-saml2-meta-alias=/sp",
"forgerock-am-auth-saml2-entity-name=http://",
"forgerock-am-auth-saml2-authn-context-decl-ref=",
"forgerock-am-auth-saml2-force-authn=none",
"forgerock-am-auth-saml2-is-passive=none",
"forgerock-am-auth-saml2-login-chain=",
"forgerock-am-auth-saml2-auth-comparison=none",
"forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
"forgerock-am-auth-saml2-authn-context-class-ref=",
"forgerock-am-auth-saml2-slo-relay=http://",
"forgerock-am-auth-saml2-allow-create=false",
"forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
]
}
|
changedFields | Specifies the fields that were changed. For example, |
revision | Not used. |
component | Not used. |
realm | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
Audit Log Event Names
The following section presents the predefined names for the audit events:
| Topic | EventName |
|---|---|
access | AM-ACCESS_ATTEMPT |
access | AM-ACCESS-OUTCOME |
activity | AM-SELFSERVICE-REGISTRATION-COMPLETED |
activity | AM-SELFSERVICE-PASSWORDCHANGE-COMPLETED |
activity | AM-SESSION-CREATED |
activity | AM-SESSION-IDLE_TIME_OUT |
activity | AM-SESSION-MAX_TIMED_OUT |
activity | AM-SESSION-LOGGED_OUT |
activity | AM-SESSION-DESTROYED |
activity | AM-SESSION-PROPERTY_CHANGED |
activity | AM-IDENTITY-CHANGE |
activity | AM-GROUP-CHANGE |
authentication | AM-LOGOUT |
authentication | AM-LOGIN-COMPLETED |
authentication | AM-LOGIN-MODULE-COMPLETED |
authentication | AM-NODE-LOGIN-COMPLETED |
authentication | AM-TREE-LOGIN-COMPLETED |
config | AM-CONFIG-CHANGE |
Audit Log Components
The following section presents the predefined audit event components that make up the log messages:
| Event Component | AM Component, Service, or Feature |
|---|---|
OAuth | OAuth 2.0, OpenID Connect 1.0, and UMA |
CTS | Core Token Service |
AM Agents | Web and Java agents |
Authentication | Authentication service |
Dashboard | Dashboard service |
Server Info | Server information service |
Users | Users component |
Groups | Groups component |
Oath | Mobile authentication |
Devices | Trusted devices |
Policy | Policies |
Realms | Realms and sub-realms |
Session | Session service |
Script | Scripting service |
Batch | Batch service |
Config | Configuration |
STS | Secure Token Service: REST and SOAP |
Record | Recording service |
Audit | Auditing service |
Radius | RADIUS server |
Self-Service | User Self-Service service |
ssoadm | ssoadm command |
SAML2 | SAML v2.0 |
Push | Push Notification service |
Audit Log Failure Reasons
The following section presents the predefined audit event failure reasons:
| Failure | Description |
|---|---|
LOGIN_FAILED | Incorrect/invalid credentials presented. |
INVALID_PASSWORD | Invalid credentials entered. |
NO_CONFIG | Authentication chain does not exist. |
NO_USER_PROFILE | No user profile found for this user. |
USER_INACTIVE | User is not active. |
LOCKED_OUT | Maximum number of failure attempts exceeded. User is locked out. |
ACCOUNT_EXPIRED | User account has expired. |
LOGIN_TIMEOUT | Login timed out. |
MODULE_DENIED | Authentication module is denied. |
MAX_SESSION_REACHED | Limit for maximum number of allowed sessions has been reached. |
INVALID_REALM | Realm does not exist. |
REALM_INACTIVE | Realm is not active. |
USER_NOTE_FOUND | Role-based authentication: user does not belong to this role. |
AUTH_TYPE_DENIED | Authentication type is denied. |
SESSION_CREATE_ERROR | Cannot create a session. |
INVALID_LEVEL | Level-based authentication: Invalid authentication level. |
Audit Log Default Whitelist
When an object is passed in an audit event, it might contain information that should not be logged. By default, the AM uses a whitelist to specify which fields of the event appear.
The following fields appear on the default, built in whitelist. This lists specifies each field by its JSON path. If a whitelisted field contains an object, then listing the field means the whole object is whitelisted:
Access Log Whitelist/_id/client/eventName/http/request/headers/accept/http/request/headers/accept-api-version/http/request/headers/content-type/http/request/headers/host/http/request/headers/user-agent/http/request/headers/x-forwarded-for/http/request/headers/x-forwarded-host/http/request/headers/x-forwarded-port/http/request/headers/x-forwarded-proto/http/request/headers/x-original-uri/http/request/headers/x-real-ip/http/request/headers/x-request-id/http/request/headers/x-requested-with/http/request/headers/x-scheme/http/request/method/http/request/path/http/request/queryParameters/authIndexType/http/request/queryParameters/authIndexValue/http/request/queryParameters/composite_advice/http/request/queryParameters/level/http/request/queryParameters/module_instance/http/request/queryParameters/resource/http/request/queryParameters/role/http/request/queryParameters/service/http/request/queryParameters/user/http/request/secure/request/response/server/timestamp/trackingIds/transactionId/userId
Activity Log Whitelist/_id/after/assignedDashboard/after/cn/after/commonName/after/givenName/after/inetUserStatus/after/iplanet-am-user-alias-list/after/iplanet-am-user-login-status/after/kbaInfoAttempts/after/memberof/after/o/after/oath2faEnabled/after/objectClass/after/organizationName/after/organizationUnitName/after/ou/after/push2faEnabled/after/sn/after/sunAMAuthInvalidAttemptsData/after/surname/after/uid/after/uniqueMember/after/userid/before/assignedDashboard/before/cn/before/commonName/before/givenName/before/inetUserStatus/before/iplanet-am-user-alias-list/before/iplanet-am-user-login-status/before/kbaInfoAttempts/before/memberof/before/o/before/oath2faEnabled/before/objectClass/before/organizationName/before/organizationUnitName/before/ou/before/push2faEnabled/before/sn/before/sunAMAuthInvalidAttemptsData/before/surname/before/uid/before/uniqueMember/before/userid/changedFields/component/component/eventName/objectId/operation/realm/realm/revision/runAs/timestamp/trackingIds/transactionId/userId
Authentication Log Whitelist/
Config Log Whitelist/_id/changedFields/component/eventName/objectId/operation/realm/revision/runAs/timestamp/trackingIds/transactionId/userId
JDBC Audit Log Tables
AM writes audit events to relational databases using the JDBC audit event handler. This section presents the columns for each audit table.
am_auditaccess
| Column | Datatype | Description |
|---|---|---|
id | VARCHAR(56) NOT NULL | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp_ | VARCHAR(29) NULL | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
transactionid | VARCHAR(255) NULL | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the |
eventname | VARCHAR(255) | Specifies the name of the audit event. For example, |
userid | VARCHAR(255) NULL | Specifies the universal identifier for the authenticated user. For example, |
trackingids | MEDIUMTEXT | Specifies the tracking IDs of the event, used by all topics. |
server_ip | VARCHAR(40) | Specifies the IP address of the AM server. |
server_port | VARCHAR(5) | Specifies the port number used by the AM server. For example, |
client_host | VARCHAR(255) | Specifies the client hostname. This column is only populated if reverse DNS lookup is enabled. |
client_ip | VARCHAR(40) | Specifies the client IP address. |
client_port | VARCHAR(5) | Specifies the client port number. |
request_protocol | VARCHAR(255) NULL | Specifies the protocol associated with the request operation. Possible values: |
request_operation | VARCHAR(255) NULL | Specifies the request operation. For Common REST operations, possible values: For PLL operations, possible values: |
request_detail | TEXT NULL | Specifies the detailed information about the request operation. For example:
|
http_request_secure | BOOLEAN NULL | Specifies the HTTP method requested by the client. For example, |
http_request_method | VARCHAR(7) NULL | Specifies the HTTP method requested by the client. For example, |
http_request_path | VARCHAR(255) NULL | Specifies the path of the HTTP request. For example, |
http_request_queryparameters | MEDIUMTEXT NULL | Specifies the HTTP query parameter string. For example:
|
http_request_headers | MEDIUMTEXT NULL | Specifies the HTTP headers for the request. For example:
{
"accept":[
"application/json, text/javascript, */*; q=0.01"
],
"Accept-API-Version":[
"protocol=1.0"
],
"accept-encoding":[
"gzip, deflate"
],
"accept-language":[
"en-US;q=1,en;q=0.9"
],
"cache-control":[
"no-cache"
],
"connection":[
"Keep-Alive"
],
"content-length":[
"0"
],
"host":[
"forgerock-am.openrock.org"
],
"pragma":[
"no-cache"
],
"referer":[
"https://forgerock-am.openrock.org/openam/XUI/"
],
"user-agent":[
"Mozilla/5.0 (X11; Linux x86_64; rv:31.0)
Gecko/20100101 Firefox/31.0"
],
"x-nosession":[
"true"
],
"x-requested-with":[
"XMLHttpRequest"
],
"x-username":[
"anonymous"
]
}
Note: line feeds and truncated values in the example are for readability purposes. |
http_request_cookies | MEDIUMTEXT NULL | Specifies a JSON map of key-value pairs and appears as its own property to allow for blacklisting fields or values. For example: "cookies": "amlbcookie=01; iPlanetDirectoryPro=\"AQIC5wM2LY....*AAJTSQACMfwT...*\"; iPlanetDirectoryPro=eyJ0eXAiOiJK....eyJzdWIiOiJkZ..." Note: line feeds and truncated values in the example are for readability purposes. |
http_response_headers | MEDIUMTEXT NULL | Captures the headers returned by AM to the client (that is, the inverse of |
response_status | VARCHAR(10) NULL | Specifies the response status of the request. For example, |
response_statuscode | VARCHAR(255) NULL | Specifies the response status code, depending on the protocol. For Common REST, HTTP failure codes are displayed but not HTTP success codes. For PLL endpoints, PLL error codes are displayed. |
response_detail | TEXT NULL | Specifies the message associated with the response status code. For example, a response status code of 401 has a response detail of |
response_elapsedtime | VARCHAR(255) NULL | Specifies the time to execute the access event, usually in millisecond precision. |
response_elapsedtimeunits | VARCHAR(255) NULL | Specifies the elapsed time units of the response. For example, |
component | VARCHAR(255) NULL | Specifies the AM service utilized. For example, |
realm | VARCHAR(255) NULL | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
am_auditauthentication
| Column | Datatype | Description |
|---|---|---|
id | VARCHAR(56) NOT NULL | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp_ | VARCHAR(29) NULL | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
transactionid | VARCHAR(255) NULL | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the |
eventname | VARCHAR(255) NULL | Specifies the name of the audit event. For example, |
userid | VARCHAR(255) NULL | Specifies the universal identifier for authenticated users. For example, |
trackingids | MEDIUMTEXT | Specifies the tracking IDs of the event, used by all topics. |
result | VARCHAR(255) NULL | Depending on the event being logged, specifies the outcome of:
Possible values are |
principals | MEDIUMTEXT | Specifies the array of accounts used to authenticate, such as |
context | N/A | MEDIUMTEXT. Not used. |
entries | MEDIUMTEXT | Specifies the JSON representation of the details of an authentication module, chain, tree or node. AM creates an event as each module or node completes and a final event at the end of the chain or tree. For example:
"entries":[
{
"moduleId":"DataStore",
"info":{
"moduleClass":"DataStore",
"ipAddress":"127.0.0.1",
"moduleName":"DataStore",
"authLevel":"0"
}
}
]
"entries":[
{
"info":{
"nodeOutcome":"true",
"treeName":"Example",
"displayName":"Data Store Decision",
"nodeType":"DataStoreDecisionNode",
"nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
"authLevel":"0"
}
}
]
|
component | VARCHAR(255) NULL | Specifies the AM service utilized. For example, |
realm | VARCHAR(255) NULL | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
am_auditactivity
| Column | Datatype | Description |
|---|---|---|
id | VARCHAR(56) NOT NULL | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp_ | VARCHAR(29) NOT NULL | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
transactionid | VARCHAR(255) NULL | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the |
eventname | VARCHAR(255) NULL | Specifies the name of the audit event. For example, |
userid | VARCHAR(255) NULL | Specifies the universal identifier for authenticated users. For example, |
trackingids | MEDIUMTEXT | Specifies the tracking IDs of the event, used by all topics. |
runas | VARCHAR(255) NULL | Specifies the user to run the activity as. May be used in delegated administration. For example, |
objectid | VARCHAR(255) NULL | Specifies the identifier of a system object that has been created, modified, or deleted. For example, |
operation | VARCHAR(255) NULL | Specifies the state change operation invoked: |
beforeObject | MEDIUMTEXT NULL | Specifies the JSON representation of the object prior to the activity. For example:
{
"sunsmspriority":[
"0"
],
"objectclass":[
"top",
"sunServiceComponent",
"organizationalUnit"
],
"ou":[
"SamuelTwo"
],
"sunserviceID":[
"serverconfig"
]
}
|
afterObject | MEDIUMTEXT NULL | Specifies the JSON representation of the object after the activity. For example:
{
"sunKeyValue":[
"forgerock-am-auth-saml2-auth-level=0",
"forgerock-am-auth-saml2-meta-alias=/sp",
"forgerock-am-auth-saml2-entity-name=http://",
"forgerock-am-auth-saml2-authn-context-decl-ref=",
"forgerock-am-auth-saml2-force-authn=none",
"forgerock-am-auth-saml2-is-passive=none",
"forgerock-am-auth-saml2-login-chain=",
"forgerock-am-auth-saml2-auth-comparison=none",
"forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
"forgerock-am-auth-saml2-authn-context-class-ref=",
"forgerock-am-auth-saml2-slo-relay=http://",
"forgerock-am-auth-saml2-allow-create=false",
"forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
]
}
|
changedfields | VARCHAR(255) NULL | Specifies the columns that were changed. For example, |
rev | VARCHAR(255) NULL | Not used. |
component | VARCHAR(255) NULL | Specifies the AM service utilized. For example, |
realm | VARCHAR(255) NULL | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
am_auditconfig
| Column | Datatype | Description |
|---|---|---|
id | VARCHAR(56) NOT NULL | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp_ | VARCHAR(29) NULL | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
transactionid | VARCHAR(255) NULL | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the |
eventname | VARCHAR(255) NULL | Specifies the name of the audit event. For example, |
userid | VARCHAR(255) NULL | Specifies the universal identifier for authenticated users. For example, |
trackingids | MEDIUMTEXT | Specifies the tracking IDs of the event, used by all topics. |
runas | VARCHAR(255) NULL | Specifies the user to run the activity as. May be used in delegated administration. For example, |
objectid | VARCHAR(255) NULL | Specifies the identifier of a system object that has been created, modified, or deleted. For example, |
operation | VARCHAR(255) NULL | Specifies the state change operation invoked: |
beforeObject | MEDIUMTEXT NULL | Specifies the JSON representation of the object prior to the activity. For example:
{
"sunsmspriority":[
"0"
],
"objectclass":[
"top",
"sunServiceComponent",
"organizationalUnit"
],
"ou":[
"SamuelTwo"
],
"sunserviceID":[
"serverconfig"
]
}
|
afterObject | MEDIUMTEXT NULL | Specifies the JSON representation of the object after the activity. For example:
{
"sunKeyValue":[
"forgerock-am-auth-saml2-auth-level=0",
"forgerock-am-auth-saml2-meta-alias=/sp",
"forgerock-am-auth-saml2-entity-name=http://",
"forgerock-am-auth-saml2-authn-context-decl-ref=",
"forgerock-am-auth-saml2-force-authn=none",
"forgerock-am-auth-saml2-is-passive=none",
"forgerock-am-auth-saml2-login-chain=",
"forgerock-am-auth-saml2-auth-comparison=none",
"forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
"forgerock-am-auth-saml2-authn-context-class-ref=",
"forgerock-am-auth-saml2-slo-relay=http://",
"forgerock-am-auth-saml2-allow-create=false",
"forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
]
}
|
changedfields | VARCHAR(255) NULL | Specifies the columns that were changed. For example, |
rev | VARCHAR(255) | Not used. |
component | VARCHAR(255) NULL | Specifies the AM service utilized. For example, |
realm | VARCHAR(255) NULL | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
Debug Log Files
Debug log files provide information to help troubleshoot problems.
The number of messages logged to the debug log files depends on the debug logging level. The default debug logging level is Error. Using other logging levels such as Warning or Message may increase the number of debug log messages and files.
When configured with the Message logging level, a server instance can produce more than a hundred debug log files. Use the debug log file names to determine the type of troubleshooting information in each file. For example, the command-line interface logs debug messages to the amCLI debug file. The OAuth2 provider logs debug messages to the OAuth2Provider debug file. The Naming Service logs messages to the amNaming debug file.
For information about configuring the location and verbosity of debug log files, see "SNMP Monitoring (Legacy)".