How To

How do I log audit events to a database in OpenAM 13.x?

Last updated Jan 5, 2021

The purpose of this article is to provide information on logging audit events to a database in OpenAM. You can log to Oracle®, MySQL™ or other databases.

1 reader recommends this article

This article has been archived and is no longer maintained by ForgeRock.


OpenAM 13.0 introduces the ForgeRock Common Audit Framework, which allows OpenAM to log all user and administrative activity in a consistent format across the ForgeRock platform. Logs can be written to file, database or syslog as required. See OpenAM Administration Guide › Configuring Audit Logging for further information on configuring audit logs to be written to a database in OpenAM 13.x.

In releases prior to OpenAM 13.0, you can configure OpenAM to log to a database instead of the default log file if required. The configuration required for this is detailed below. This functionality is deprecated as of OpenAM 13.0.

Configuring OpenAM to log to a database

You can configure OpenAM to log to a database using either the OpenAM console or ssoadm:

  • OpenAM console: navigate to: Configuration > System > Logging > Logging Type and select the DB option. Complete the following fields to configure logging to a database:
    • Log File Location: enter the full directory path using a valid database URL, for example: jdbc:mysql://host:port/dbname.
    • Database User Name
    • Database User Password
    • Database User Password (confirm)
    • Database Driver Name
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMLoggingService -t global -u [adminID] -f [passwordfile] -a iplanet-am-logging-type=DB iplanet-am-logging-location=[JDBCURL] iplanet-am-logging-db-user=[DBuserName] iplanet-am-logging-db-password=[DBpassword] iplanet-am-logging-db-driver=[JDBCdriver] replacing [adminID], [passwordfile], [JDBCURL], [DBuserName], [DBpassword] and [JDBCdriver] with appropriate values.

OpenAM automatically creates the necessary table in the database, so there is no need to run a script to create the table; events and errors are logged as unique database file attributes or columns and are labeled as follows:

  • Oracle database:
    • *_ACCESS
    • *_ERROR
  • MySQL database: 
    • *_access 
    • *_error 

You should ensure the database user has the CREATE TABLE privilege and the JDBC driver is deployed in the web container.

See Also

OpenAM Administration Guide › Configuring Audit Logging

Related Training


Related Issue Tracker IDs

OPENAM-5987 (Database audit logging 'failure buffer' does not write all records after DB recovery)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.