Audit Logging Reference
AM writes log messages generated from audit events triggered by its components, instances, and other ForgeRock-based stack products.
Audit Log Format
This section presents the audit log format for each topic-based file, event names, and audit constants used in its log messages.
Access Log Format
| Schema Property | Description |
|---|---|
_id | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
eventName | Specifies the name of the audit event. For example, |
transactionId | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID even for different audit event topics. For example, AM supports a feature where trusted AM deployment with multiple instances, components, and ForgeRock stack products can propagate the transaction ID through each call across the stack. AM reads the |
user.id | Specifies the universal identifier for authenticated users. For example, |
trackingIds | Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. In releases prior to OpenAM 13.0.0, the OpenAM 13.0.0 extended this property to handle OAuth 2.0 tokens. In this case, whenever AM generates an access or grant token, it also generates unique random value and logs it as an alias. In this way, it is possible to trace back an access token back to its originating grant token, trace the grant token back to the session in which it was created, and then trace how the session was authenticated. An example of a |
server.ip | Specifies the IP address of the AM server. For example, |
server.port | Specifies the port number used by the AM server. For example, |
client.host | Specifies the client hostname. This field is only populated if reverse DNS lookup is enabled. |
client.ip | Specifies the client IP address. |
client.port | Specifies the client port number. |
authorizationId.roles | Specifies the list of roles for the authorized user. |
authorizationId.component | Specifies the component part of the authorized ID, such as |
request.protocol | Specifies the protocol associated with the request operation. Possible values: |
request.operation | Specifies the request operation. For Common REST operations, possible values are: For PLL operations, possible values are: |
request.detail | Specifies the detailed information about the request operation. For example:
|
http.method | Specifies the HTTP method requested by the client. For example, |
http.path | Specifies the path of the HTTP request. For example, |
http.queryParameters | Specifies the HTTP query parameter string. For example:
|
http.request.headers | Specifies the HTTP header for the request. For example:
{
"accept":[
"application/json, text/javascript, */*; q=0.01"
],
"Accept-API-Version":[
"protocol=1.0"
],
"accept-encoding":[
"gzip, deflate"
],
"accept-language":[
"en-US;q=1,en;q=0.9"
],
"cache-control":[
"no-cache"
],
"connection":[
"Keep-Alive"
],
"content-length":[
"0"
],
"host":[
"forgerock-am.openrock.org"
],
"pragma":[
"no-cache"
],
"referer":[
"https://forgerock-am.openrock.org/openam/XUI/"
],
"user-agent":[
"Mozilla/5.0 (X11; Linux x86_64; rv:31.0)
Gecko/20100101 Firefox/31.0"
],
"x-nosession":[
"true"
],
"x-requested-with":[
"XMLHttpRequest"
],
"x-username":[
"anonymous"
]
}
Note: line feeds and truncated values in the example are for readability purposes. |
http.request.cookies | Specifies a JSON map of key-value pairs and appears as its own property to allow for blacklisting fields or values. |
http.response.cookies | Not used in AM. |
response.status | Specifies the response status of the request. For example, |
response.statusCode | Specifies the response status code, depending on the protocol. For Common REST, HTTP failure codes are displayed but not HTTP success codes. For PLL endpoints, PLL error codes are displayed. |
response.detail | Specifies the message associated with |
response.elapsedTime | Specifies the time to execute the access event, usually in millisecond precision. |
response.elapsedTimeUnits | Specifies the elapsed time units of the response. For example, |
component | Specifies the AM service utilized. For example, |
realm | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
Activity Log Format
| Property | Description |
|---|---|
_id | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
eventName | Specifies the name of the audit event. For example, |
transactionId | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for same even for different audit event topics. For example, |
user.id | Specifies the universal identifier for authenticated users. For example, |
trackingIds | Specifies an array containing a random context ID that identifies the session and a random string generated from an OAuth 2.0/OpenID Connect 1.0 flow that could track an access token ID or an grant token ID. For example, |
runAs | Specifies the user to run the activity as. May be used in delegated administration. For example, |
objectId | Specifies the identifier of an object that has been created, updated, or deleted. For logging sessions, the session |
operation | Specifies the state change operation invoked: |
before | Not used. |
after | Not used. |
changedFields | Not used. |
revision | Not used. |
component | Specifies the AM service utilized. For example, |
realm | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
Authentication Log Format
| Property | Description |
|---|---|
_id | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
eventName | Specifies the name of the audit event. For example, |
transactionId | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for same even for different audit event topics. For example, |
user.id | Specifies the universal identifier for authenticated users. For example, |
trackingIds | Specifies an array containing a unique random context ID. For example:
|
result | Depending on the event being logged, specifies the outcome of:
Possible values are |
principal | Specifies the array of accounts used to authenticate, such as |
context | Not used |
entries | Specifies the JSON representation of the details of an authentication module, chain, tree or node. AM creates an event as each module or node completes and a final event at the end of the chain or tree. Examples:
"entries":[
{
"moduleId":"DataStore",
"info":{
"moduleClass":"DataStore",
"ipAddress":"127.0.0.1",
"moduleName":"DataStore",
"authLevel":"0"
}
}
]
"entries":[
{
"info":{
"nodeOutcome":"true",
"treeName":"Example",
"displayName":"Data Store Decision",
"nodeType":"DataStoreDecisionNode",
"nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
"authLevel":"0"
}
}
]
|
component | Specifies the AM service utilized. For example, |
realm | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
Config Log Format
| Property | Description |
|---|---|
_id | Specifies a universally unique identifier (UUID) for the message object. For example, |
timestamp | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
eventName | Specifies the name of the audit event. For example, |
transactionId | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, |
user.id | Not used. You can determine the value for this field by linking to the access event using the same |
trackingIds | Not used. |
runAs | Specifies the user to run the activity as. May be used in delegated administration. For example, |
objectId | Specifies the identifier of a system object that has been created, modified, or deleted. For example, |
operation | Specifies the state change operation invoked: |
before | Specifies the JSON representation of the object prior to the activity. For example:
{
"sunsmspriority":[
"0"
],
"objectclass":[
"top",
"sunServiceComponent",
"organizationalUnit"
],
"ou":[
"SamuelTwo"
],
"sunserviceID":[
"serverconfig"
]
}
|
after | Specifies the JSON representation of the object after the activity. For example:
{
"sunKeyValue":[
"forgerock-am-auth-saml2-auth-level=0",
"forgerock-am-auth-saml2-meta-alias=/sp",
"forgerock-am-auth-saml2-entity-name=http://",
"forgerock-am-auth-saml2-authn-context-decl-ref=",
"forgerock-am-auth-saml2-force-authn=none",
"forgerock-am-auth-saml2-is-passive=none",
"forgerock-am-auth-saml2-login-chain=",
"forgerock-am-auth-saml2-auth-comparison=none",
"forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
"forgerock-am-auth-saml2-authn-context-class-ref=",
"forgerock-am-auth-saml2-slo-relay=http://",
"forgerock-am-auth-saml2-allow-create=false",
"forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
]
}
|
changedFields | Specifies the fields that were changed. For example, |
revision | Not used. |
component | Not used. |
realm | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
Audit Log Event Names
The following section presents the predefined names for the audit events:
| Topic | EventName |
|---|---|
access | AM-ACCESS_ATTEMPT |
access | AM-ACCESS-OUTCOME |
activity | AM-SELFSERVICE-REGISTRATION-COMPLETED |
activity | AM-SELFSERVICE-PASSWORDCHANGE-COMPLETED |
activity | AM-SESSION-CREATED |
activity | AM-SESSION-IDLE_TIME_OUT |
activity | AM-SESSION-MAX_TIMED_OUT |
activity | AM-SESSION-LOGGED_OUT |
activity | AM-SESSION-DESTROYED |
activity | AM-SESSION-PROPERTY_CHANGED |
activity | AM-IDENTITY-CHANGE |
activity | AM-GROUP-CHANGE |
authentication | AM-LOGOUT |
authentication | AM-LOGIN-COMPLETED |
authentication | AM-LOGIN-MODULE-COMPLETED |
authentication | AM-NODE-LOGIN-COMPLETED |
authentication | AM-TREE-LOGIN-COMPLETED |
config | AM-CONFIG-CHANGE |
Audit Log Components
The following section presents the predefined audit event components that make up the log messages:
| Event Component | AM Component, Service, or Feature |
|---|---|
OAuth | OAuth 2.0, OpenID Connect 1.0, and UMA |
CTS | Core Token Service |
AM Agents | Web and Java agents |
Authentication | Authentication service |
Dashboard | Dashboard service |
Server Info | Server information service |
Users | Users component |
Groups | Groups component |
Oath | Mobile authentication |
Devices | Trusted devices |
Policy | Policies |
Realms | Realms and sub-realms |
Session | Session service |
Script | Scripting service |
Batch | Batch service |
Config | Configuration |
STS | Secure Token Service: REST and SOAP |
Record | Recording service |
Audit | Auditing service |
Radius | RADIUS server |
Self-Service | User Self-Service service |
ssoadm | ssoadm command |
SAML2 | SAML v2.0 |
Push | Push Notification service |
Audit Log Failure Reasons
The following section presents the predefined audit event failure reasons:
| Failure | Description |
|---|---|
LOGIN_FAILED | Incorrect/invalid credentials presented. |
INVALID_PASSWORD | Invalid credentials entered. |
NO_CONFIG | Authentication chain does not exist. |
NO_USER_PROFILE | No user profile found for this user. |
USER_INACTIVE | User is not active. |
LOCKED_OUT | Maximum number of failure attempts exceeded. User is locked out. |
ACCOUNT_EXPIRED | User account has expired. |
LOGIN_TIMEOUT | Login timed out. |
MODULE_DENIED | Authentication module is denied. |
MAX_SESSION_REACHED | Limit for maximum number of allowed sessions has been reached. |
INVALID_REALM | Realm does not exist. |
REALM_INACTIVE | Realm is not active. |
USER_NOTE_FOUND | Role-based authentication: user does not belong to this role. |
AUTH_TYPE_DENIED | Authentication type is denied. |
SESSION_CREATE_ERROR | Cannot create a session. |
INVALID_LEVEL | Level-based authentication: Invalid authentication level. |
Audit Log Default Whitelist
When an object is passed in an audit event, it might contain information that should not be logged. By default, the AM uses a whitelist to specify which fields of the event appear.
The following fields appear on the default, built in whitelist. This lists specifies each field by its JSON path. If a whitelisted field contains an object, then listing the field means the whole object is whitelisted:
Access Log Whitelist/_id/client/eventName/http/request/headers/accept/http/request/headers/accept-api-version/http/request/headers/content-type/http/request/headers/host/http/request/headers/user-agent/http/request/headers/x-forwarded-for/http/request/headers/x-forwarded-host/http/request/headers/x-forwarded-port/http/request/headers/x-forwarded-proto/http/request/headers/x-original-uri/http/request/headers/x-real-ip/http/request/headers/x-request-id/http/request/headers/x-requested-with/http/request/headers/x-scheme/http/request/method/http/request/path/http/request/queryParameters/authIndexType/http/request/queryParameters/authIndexValue/http/request/queryParameters/composite_advice/http/request/queryParameters/level/http/request/queryParameters/module_instance/http/request/queryParameters/resource/http/request/queryParameters/role/http/request/queryParameters/service/http/request/queryParameters/user/http/request/secure/request/response/server/timestamp/trackingIds/transactionId/userId
Activity Log Whitelist/_id/after/assignedDashboard/after/cn/after/commonName/after/givenName/after/inetUserStatus/after/iplanet-am-user-alias-list/after/iplanet-am-user-login-status/after/kbaInfoAttempts/after/memberof/after/o/after/oath2faEnabled/after/objectClass/after/organizationName/after/organizationUnitName/after/ou/after/push2faEnabled/after/sn/after/sunAMAuthInvalidAttemptsData/after/surname/after/uid/after/uniqueMember/after/userid/before/assignedDashboard/before/cn/before/commonName/before/givenName/before/inetUserStatus/before/iplanet-am-user-alias-list/before/iplanet-am-user-login-status/before/kbaInfoAttempts/before/memberof/before/o/before/oath2faEnabled/before/objectClass/before/organizationName/before/organizationUnitName/before/ou/before/push2faEnabled/before/sn/before/sunAMAuthInvalidAttemptsData/before/surname/before/uid/before/uniqueMember/before/userid/changedFields/component/component/eventName/objectId/operation/realm/realm/revision/runAs/timestamp/trackingIds/transactionId/userId
Authentication Log Whitelist/
Config Log Whitelist/_id/changedFields/component/eventName/objectId/operation/realm/revision/runAs/timestamp/trackingIds/transactionId/userId
JDBC Audit Log Tables
AM writes audit events to relational databases using the JDBC audit event handler. This section presents the columns for each audit table.
am_auditaccess
| Column | Datatype | Description |
|---|---|---|
id | VARCHAR(56) NOT NULL | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp_ | VARCHAR(29) NULL | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
transactionid | VARCHAR(255) NULL | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the |
eventname | VARCHAR(255) | Specifies the name of the audit event. For example, |
userid | VARCHAR(255) NULL | Specifies the universal identifier for the authenticated user. For example, |
trackingids | MEDIUMTEXT | Specifies the tracking IDs of the event, used by all topics. |
server_ip | VARCHAR(40) | Specifies the IP address of the AM server. |
server_port | VARCHAR(5) | Specifies the port number used by the AM server. For example, |
client_host | VARCHAR(255) | Specifies the client hostname. This column is only populated if reverse DNS lookup is enabled. |
client_ip | VARCHAR(40) | Specifies the client IP address. |
client_port | VARCHAR(5) | Specifies the client port number. |
request_protocol | VARCHAR(255) NULL | Specifies the protocol associated with the request operation. Possible values: |
request_operation | VARCHAR(255) NULL | Specifies the request operation. For Common REST operations, possible values: For PLL operations, possible values: |
request_detail | TEXT NULL | Specifies the detailed information about the request operation. For example:
|
http_request_secure | BOOLEAN NULL | Specifies the HTTP method requested by the client. For example, |
http_request_method | VARCHAR(7) NULL | Specifies the HTTP method requested by the client. For example, |
http_request_path | VARCHAR(255) NULL | Specifies the path of the HTTP request. For example, |
http_request_queryparameters | MEDIUMTEXT NULL | Specifies the HTTP query parameter string. For example:
|
http_request_headers | MEDIUMTEXT NULL | Specifies the HTTP headers for the request. For example:
{
"accept":[
"application/json, text/javascript, */*; q=0.01"
],
"Accept-API-Version":[
"protocol=1.0"
],
"accept-encoding":[
"gzip, deflate"
],
"accept-language":[
"en-US;q=1,en;q=0.9"
],
"cache-control":[
"no-cache"
],
"connection":[
"Keep-Alive"
],
"content-length":[
"0"
],
"host":[
"forgerock-am.openrock.org"
],
"pragma":[
"no-cache"
],
"referer":[
"https://forgerock-am.openrock.org/openam/XUI/"
],
"user-agent":[
"Mozilla/5.0 (X11; Linux x86_64; rv:31.0)
Gecko/20100101 Firefox/31.0"
],
"x-nosession":[
"true"
],
"x-requested-with":[
"XMLHttpRequest"
],
"x-username":[
"anonymous"
]
}
Note: line feeds and truncated values in the example are for readability purposes. |
http_request_cookies | MEDIUMTEXT NULL | Specifies a JSON map of key-value pairs and appears as its own property to allow for blacklisting fields or values. For example: "cookies": "amlbcookie=01; iPlanetDirectoryPro=\"AQIC5wM2LY....*AAJTSQACMfwT...*\"; iPlanetDirectoryPro=eyJ0eXAiOiJK....eyJzdWIiOiJkZ..." Note: line feeds and truncated values in the example are for readability purposes. |
http_response_headers | MEDIUMTEXT NULL | Captures the headers returned by AM to the client (that is, the inverse of |
response_status | VARCHAR(10) NULL | Specifies the response status of the request. For example, |
response_statuscode | VARCHAR(255) NULL | Specifies the response status code, depending on the protocol. For Common REST, HTTP failure codes are displayed but not HTTP success codes. For PLL endpoints, PLL error codes are displayed. |
response_detail | TEXT NULL | Specifies the message associated with the response status code. For example, a response status code of 401 has a response detail of |
response_elapsedtime | VARCHAR(255) NULL | Specifies the time to execute the access event, usually in millisecond precision. |
response_elapsedtimeunits | VARCHAR(255) NULL | Specifies the elapsed time units of the response. For example, |
component | VARCHAR(255) NULL | Specifies the AM service utilized. For example, |
realm | VARCHAR(255) NULL | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
am_auditauthentication
| Column | Datatype | Description |
|---|---|---|
id | VARCHAR(56) NOT NULL | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp_ | VARCHAR(29) NULL | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
transactionid | VARCHAR(255) NULL | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the |
eventname | VARCHAR(255) NULL | Specifies the name of the audit event. For example, |
userid | VARCHAR(255) NULL | Specifies the universal identifier for authenticated users. For example, |
trackingids | MEDIUMTEXT | Specifies the tracking IDs of the event, used by all topics. |
result | VARCHAR(255) NULL | Depending on the event being logged, specifies the outcome of:
Possible values are |
principals | MEDIUMTEXT | Specifies the array of accounts used to authenticate, such as |
context | N/A | MEDIUMTEXT. Not used. |
entries | MEDIUMTEXT | Specifies the JSON representation of the details of an authentication module, chain, tree or node. AM creates an event as each module or node completes and a final event at the end of the chain or tree. For example:
"entries":[
{
"moduleId":"DataStore",
"info":{
"moduleClass":"DataStore",
"ipAddress":"127.0.0.1",
"moduleName":"DataStore",
"authLevel":"0"
}
}
]
"entries":[
{
"info":{
"nodeOutcome":"true",
"treeName":"Example",
"displayName":"Data Store Decision",
"nodeType":"DataStoreDecisionNode",
"nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
"authLevel":"0"
}
}
]
|
component | VARCHAR(255) NULL | Specifies the AM service utilized. For example, |
realm | VARCHAR(255) NULL | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
am_auditactivity
| Column | Datatype | Description |
|---|---|---|
id | VARCHAR(56) NOT NULL | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp_ | VARCHAR(29) NOT NULL | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
transactionid | VARCHAR(255) NULL | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the |
eventname | VARCHAR(255) NULL | Specifies the name of the audit event. For example, |
userid | VARCHAR(255) NULL | Specifies the universal identifier for authenticated users. For example, |
trackingids | MEDIUMTEXT | Specifies the tracking IDs of the event, used by all topics. |
runas | VARCHAR(255) NULL | Specifies the user to run the activity as. May be used in delegated administration. For example, |
objectid | VARCHAR(255) NULL | Specifies the identifier of a system object that has been created, modified, or deleted. For example, |
operation | VARCHAR(255) NULL | Specifies the state change operation invoked: |
beforeObject | MEDIUMTEXT NULL | Specifies the JSON representation of the object prior to the activity. For example:
{
"sunsmspriority":[
"0"
],
"objectclass":[
"top",
"sunServiceComponent",
"organizationalUnit"
],
"ou":[
"SamuelTwo"
],
"sunserviceID":[
"serverconfig"
]
}
|
afterObject | MEDIUMTEXT NULL | Specifies the JSON representation of the object after the activity. For example:
{
"sunKeyValue":[
"forgerock-am-auth-saml2-auth-level=0",
"forgerock-am-auth-saml2-meta-alias=/sp",
"forgerock-am-auth-saml2-entity-name=http://",
"forgerock-am-auth-saml2-authn-context-decl-ref=",
"forgerock-am-auth-saml2-force-authn=none",
"forgerock-am-auth-saml2-is-passive=none",
"forgerock-am-auth-saml2-login-chain=",
"forgerock-am-auth-saml2-auth-comparison=none",
"forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
"forgerock-am-auth-saml2-authn-context-class-ref=",
"forgerock-am-auth-saml2-slo-relay=http://",
"forgerock-am-auth-saml2-allow-create=false",
"forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
]
}
|
changedfields | VARCHAR(255) NULL | Specifies the columns that were changed. For example, |
rev | VARCHAR(255) NULL | Not used. |
component | VARCHAR(255) NULL | Specifies the AM service utilized. For example, |
realm | VARCHAR(255) NULL | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |
am_auditconfig
| Column | Datatype | Description |
|---|---|---|
id | VARCHAR(56) NOT NULL | Specifies a universally unique identifier (UUID) for the message object, such as |
timestamp_ | VARCHAR(29) NULL | Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: |
transactionid | VARCHAR(255) NULL | Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the |
eventname | VARCHAR(255) NULL | Specifies the name of the audit event. For example, |
userid | VARCHAR(255) NULL | Specifies the universal identifier for authenticated users. For example, |
trackingids | MEDIUMTEXT | Specifies the tracking IDs of the event, used by all topics. |
runas | VARCHAR(255) NULL | Specifies the user to run the activity as. May be used in delegated administration. For example, |
objectid | VARCHAR(255) NULL | Specifies the identifier of a system object that has been created, modified, or deleted. For example, |
operation | VARCHAR(255) NULL | Specifies the state change operation invoked: |
beforeObject | MEDIUMTEXT NULL | Specifies the JSON representation of the object prior to the activity. For example:
{
"sunsmspriority":[
"0"
],
"objectclass":[
"top",
"sunServiceComponent",
"organizationalUnit"
],
"ou":[
"SamuelTwo"
],
"sunserviceID":[
"serverconfig"
]
}
|
afterObject | MEDIUMTEXT NULL | Specifies the JSON representation of the object after the activity. For example:
{
"sunKeyValue":[
"forgerock-am-auth-saml2-auth-level=0",
"forgerock-am-auth-saml2-meta-alias=/sp",
"forgerock-am-auth-saml2-entity-name=http://",
"forgerock-am-auth-saml2-authn-context-decl-ref=",
"forgerock-am-auth-saml2-force-authn=none",
"forgerock-am-auth-saml2-is-passive=none",
"forgerock-am-auth-saml2-login-chain=",
"forgerock-am-auth-saml2-auth-comparison=none",
"forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
"forgerock-am-auth-saml2-authn-context-class-ref=",
"forgerock-am-auth-saml2-slo-relay=http://",
"forgerock-am-auth-saml2-allow-create=false",
"forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
]
}
|
changedfields | VARCHAR(255) NULL | Specifies the columns that were changed. For example, |
rev | VARCHAR(255) | Not used. |
component | VARCHAR(255) NULL | Specifies the AM service utilized. For example, |
realm | VARCHAR(255) NULL | Specifies the realm where the operation occurred. For example, the Top Level Realm ( |