Audit event topics
The audit service logs information from six event topics: access, activity, authentication, configuration, reconciliation, and synchronization.
When you start IDM, it creates audit log files in the openidm/audit
directory. The default file-based audit event handler is the JSON handler, which creates one JSON file for each event topic.
To configure default and custom audit topics in the admin UI, select Configure > System Preferences. Click on the Audit tab, and scroll down to Event Topics.
Default audit event topics
The audit service logs the following event topics by default:
- Access Events
-
IDM writes messages at system boundaries, that is REST endpoints and the invocation of scheduled tasks in this log. In short, it includes who, what, and output for every access request.
Default file:
openidm/audit/access.audit.json
- Activity Events
-
IDM logs operations on internal (managed) and external (system) objects to this log.
Entries in the activity log contain identifiers, both for the action that triggered the activity, and for the original caller and the relationships between related actions, on internal and external objects.
Default file:
openidm/audit/activity.audit.json
- Authentication Events
-
IDM logs the results of authentication operations to this log, including situations and the actions taken on each object, including when and how a user authenticated and related events. The activity log contains additional detail about each authentication action.
Default file:
openidm/audit/authentication.audit.json
- Configuration Events
-
IDM logs the changes to the configuration in this log. The configuration log includes the "before" and "after" settings for each configuration item, with timestamps.
Default file:
openidm/audit/config.audit.json
- Reconciliation Events
-
IDM logs the results of reconciliation runs to this log (including situations and the resulting actions taken). The activity log contains details about the actions, where log entries display parent activity identifiers,
recon/reconID
, links, and policy events by data store.Default file:
openidm/audit/recon.audit.json
- Synchronization Events
-
IDM logs the results of automatic synchronization operations (liveSync and implicit synchronization) to this log, including situations and the actions taken on each object, by account. The activity log contains additional detail about each action.
Default file:
openidm/audit/sync.audit.json
For detailed information about each audit event topic, refer to Audit event handler configuration.
Custom audit event topics
You can create custom event topics to collect audit information for customizations, such as scripts. Creating a new event topic has a few additional requirements:
-
You must specify a schema for your custom topic. The schema determines the structure and type of information stored in audit logs.
-
Your script needs to call the new audit event topic (for example
audit/example
), providing the values you specified in your topic schema.
Create custom event topics directly in audit.json
, or using the admin UI. The following example, from an audit.json
file, has been modified to include a custom audit event topic named example
:
"eventTopics": {
"authentication": {},
"access": {},
...
"example": {
"schema": {
"$schema": "http://json-schema.org/draft-04/schema#",
"id": "/",
"type": "object",
"properties": {
"_id": {
"id": "_id",
"type": "string"
},
"transactionId": {
"id": "transactionId",
"type": "string"
},
"timestamp": {
"id": "timestamp",
"type": "string"
},
"status": {
"id": "status",
"type": "string"
},
"message": {
"id": "message",
"type": "string"
}
},
"filter": {
"actions": []
}
}
}
}
When your topic has been created, add it to an event handler such as the JsonAuditEventHandler
, in order to output the audit logs in your desired format. New audit events can be sent by calling the audit topic endpoint (in this example, audit/example
). For example, the following REST call will add a new audit event for the example
topic:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --request POST \ --data '{ "transactionId": "779d3cda-dab3-4e54-9ab1-e0ca4c7ae6df-699", "timestamp": "2019-02-12T01:11:02.675Z", "status": "SUCCESS", "message": "Script has run successfully." }' \ "http://localhost:8080/openidm/audit/example" { "_id": "2091c3f2-7a22-47bf-a618-b2af4c322e46-1192", "transactionId": "779d3cda-dab3-4e54-9ab1-e0ca4c7ae6df-699", "timestamp": "2019-02-12T01:11:02.675Z", "status": "SUCCESS", "message": "Script has run successfully." }
This new audit event will be logged to the audit log specified by your event handler. For example, if you had added the example
topic to the JsonAuditEventHandler
, you can find your new audit event logged in audit/example.audit.json
.