How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I monitor session statistics in AM (All versions)?

Last updated Jan 16, 2023

The purpose of this article is to provide information on monitoring session statistics in AM. This can provide useful troubleshooting information if you are experiencing unexpectedly high session numbers.


1 reader recommends this article

Overview

There are a number of ways you can monitor session statistics in AM, including:

  • Session page - navigate to: Realms > [Realm Name] > Sessions to access the Sessions page, which allows you to view and invalidate active server-side user sessions per realm.
  • REST API - you can query the /json/sessions endpoint (see the Using the /json/sessions endpoint section below for further information).
  • Amster - you can use Amster to query sessions (see the Using Amster section below for further information).

By default, only 120 sessions are returned using these methods. You can change this default using the Maximum Number of Search Results setting. See Session Search for further details.

Session details

Session management information, including attribute values such as login time, logout time, time out limits, session creations and terminations, are logged in the amSSO.access log file (typically located in the /path/to/am/var/audit directory (AM 7 and later) or the /path/to/am/log directory (AM 6.x)). You will also see session information in the CoreSystem, Authentication and Session debug files (/path/to/am/var/debug (AM 7 and later) or /path/to/am/debug (AM 6.x)).

Using the /json/sessions endpoint

You can query the /json/sessions endpoint to find session details. _queryFilter is a required parameter and must equal the realm you are querying in the format: realm eq "/<realmname>", which should be URL encoded. For example, to find sessions in the top level realm, you would set the queryFilter as follows: _queryFilter=realm%20eq%20%22%2F%22.

Note

Please observe the following when constructing REST calls:

  • Make the REST call to the actual AM server URL (not lb).
  • Change the name of the iPlanetDirectoryPro header to the name of your actual session cookie.
  • Set this session cookie header to the token returned when you authenticated.
  • Ensure the Accept-API-Version header contains valid resource versions.

See How do I avoid common issues with REST calls in AM (All versions)? for further information.

  1. Authenticate as an admin user. For example:$ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" https://am.example.com:8443/am/json/realms/root/authenticate?authIndexType=service&authIndexValue=adminconsoleserviceExample response:{ "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/am/console", "realm": "/" }
  2. Query the /json/sessions endpoint to find the required session details, where _queryFilter equals the realm you are interested in. For example, the /internal realm in this query:$ curl -X GET "https://am.example.com:8443/am/json/sessions?_queryFilter=realm%20eq%20%22%2Finternal%22" -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json"

See Manage sessions over REST and Query for further information.

Using Amster

You can use Amster to query session details using the query Sessions command. For example:

am> query Sessions --realm / --filter 'realm eq "/"'

Example response:

===> [ { "username": "amAdmin", "universalId": "id=amAdmin,ou=user,dc=example,dc=com", "realm": "/", "sessionHandle": "shandle:4r8SsX6XJj0oAbLBmexqyUsbC7Y.*AAJTSQACMDEAAlNLABxJNEhkVlRlMnNHRzVKUTlOa1hMQ3BiRzZad0E9AAJTMQAA*", "latestAccessTime": "2018-05-01T12:36:54.487Z", "maxIdleExpirationTime": "2018-05-01T13:06:54Z", "maxSessionExpirationTime": "2018-05-01T14:31:23Z", "_rev": "746064345" }, { "username": "demo", "universalId": "id=demo,ou=user,dc=example,dc=com", "realm": "/", "sessionHandle": "shandle:rn3PS1zCIBxmY5qnMtbbqJOLgkQ.*AAJTSQACMDEAAlNLABxNR2JvL0tUenQxc2N1YnU4MkN2YjNkeGY2UTQ9AAJTMQAA*", "latestAccessTime": "2018-05-01T12:36:50.448Z", "maxIdleExpirationTime": "2018-05-01T13:06:50Z", "maxSessionExpirationTime": "2018-05-01T14:36:50Z", "_rev": "856832111" } ]

See Sessions for further information.

See Also

Agent and IG session numbers keep growing in the CTS store in AM (All versions)

Managing Sessions (REST)

Manage sessions in the UI

Monitor AM instances

Related Training

N/A

Related Issue Tracker IDs

OPENAM-9738 (Enable CTS segregation to allow each token type to write to a different CTS instance)


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.