Auditing
Web Agent logs audit events for security, troubleshooting, and regulatory compliance. Logs are written in UTF-8. Store audit event logs in the following ways:
- Remotely
-
Log audit events to the audit event handler configured in the AM realm. In an environment with several AM servers, agents write audit logs to the AM server that satisfies the agent request for client authentication or resource authorization.
Web Agent cannot log audit events remotely if:
-
AM’s audit logging service is disabled.
-
No audit event handler is configured in the realm where the agent is configured.
-
All audit event handlers configured in the realm where the agent is configured are disabled.
For more information about audit logging in AM, refer to Setting up audit logging in AM’s Security guide.
-
- Locally
-
Log audit events in JSON format to
web_agents/agent_type/instances/agent_n/logs/debug/audit.log
. The following is an example agent log file:/web_agents/nginx22_agent/instances/agent_1/logs/audit/audit.log
. - Remotely and locally
-
Log audit events:
-
To
web_agents/agent_type/instances/agent_n/logs/debug/audit.log
-
To the audit event handler configured in the AM realm in which the agent profile is configured.
-
The following is an example agent log record:
{
"timestamp":"2017-10-30T11:56:57Z",
"eventName":"AM-ACCESS-OUTCOME",
"transactionId":"608831c4-7351-4277-8a5f-b1a83fe2277e",
"userId":"id=demo,ou=user,dc=openam,dc=forgerock,dc=org",
"trackingIds":[
"fd5c8ccf-7d97-49ba-a775-76c3c06eb933-82095",
"fd5c8ccf-7d97-49ba-a775-76c3c06eb933-82177"
],
"component":"Web Policy Agent",
"realm":"/",
"server":{
"ip":"127.0.0.1",
"port":8020
},
"request":{
"protocol":"HTTP/1.1",
"operation":"GET"
},
"http":{
"request":{
"secure":false,
"method":"GET",
"path":"http://my.example.com:8020/examples/",
"cookies":{
"am-auth-jwt":"eyJ0eXAiOiJKV1QiLCJhbGciOi[...]"
"i18next":"en",
"amlbcookie":"01",
"iPlanetDirectoryPro":"Ts2zDkGUqgtkoxR[...]"
}
}
},
"response":{
"status":"DENIED"
},
"_id":"fd5c8ccf-7d97-49ba-a775-76c3c06eb933-81703"
}
Local audit logs do not have an _id attribute, which is an internal
AM id.
|
The audit log format adheres to the log structure shared across the ForgeRock Identity Platform. For more information about the audit log format, refer to Audit log format in AM’s Security guide.
Web Agent supports propagation of the transaction ID across the
ForgeRock Identity Platform, using the HTTP header X-ForgeRock-TransactionId
. For more
information about configuring the header, refer to
Configuring the trust transaction header system property
in AM’s Security guide.
By default, Web Agent does not write audit log records. To configure audit logging, perform the following procedure:
Configure audit logging
By default, Web Agent does not write audit log records. To configure audit logging, perform this procedure. The agent in this example is in remote configuration mode.
-
In
agent.conf
, set values for the following properties:-
After changing a bootstrap property, restart the web server where the agent runs.
-
On the AM admin UI, select REALMS > Realm Name > Applications > Agents > Web > Agent Name.
-
On the Global tab, select the following options to configure audit: