General
ForgeRock Identity Cloud

What logging sources are available in Identity Cloud?

Last updated Oct 27, 2021

The purpose of this article is to describe the sources available for audit and debug logging in Identity Cloud. These logs can be useful for troubleshooting.


3 readers recommend this article

Overview

Identity Cloud provides audit logging to help you to investigate user and system behavior, and debug logging to help you and ForgeRock support staff investigate any issues which may arise in production. 

Logs in Identity Cloud are stored in various sources, allowing you to view just the logs you are interested in. These sources include:  

Note

Identity Cloud stores audit data for 30 days. To keep audit data for longer, you'll need to store it in your own data stores. Currently, you can only gather audit logs by pulling them from the REST API endpoint (/monitoring/logs).

Viewing the logs

To view the logs in Identity Cloud, you'll use the /monitoring/logs API endpoint. You'll need an API key and secret before you can authenticate to this endpoint. See Authenticate to Identity Cloud REST API with API Key and Secret for further information.

You can get a list of available sources by running the following command, replacing the <API-KEY> and <API-SECRET> with your own details, and <tenant-name> with the name of your Identity Cloud tenant:

curl \ --header 'x-api-key: <API-KEY>' \ --header 'x-api-secret: <API-SECRET>' \ 'https://<tenant-name>.forgeblocks.com/monitoring/logs/sources'

The output appears similar to this:

{   "resultCount" : 22,    "pagedResultsCookie" : null,    "remainingPagedResults" : 0,    "result" : [       "am-access",       "am-activity",       "am-authentication",       "am-config",       "am-core",       "am-everything",       "ctsstore",       "ctsstore-access",       "ctsstore-config-audit",       "ctsstore-upgrade",       "idm-access",       "idm-activity",       "idm-authentication",       "idm-config",       "idm-core",       "idm-everything",       "idm-sync",       "userstore",       "userstore-access",       "userstore-config-audit",       "userstore-ldif-importer",       "userstore-upgrade"    ],    "totalPagedResultsPolicy" : "NONE",    "totalPagedResults" : 1

Note

Some of the log sources listed are not used by Identity Cloud and can be ignored. These are: ctsstore, ctsstore-access, ctsstore-config-audit, ctsstore-upgrade, userstore, userstore-access, userstore-ldif-importer, and userstore-upgrade.

Viewing the logs for a source

To view the logs for a source, run the following command, replacing the <API-KEY> and <API-SECRET> with your own details, and <tenant-name> with the name of your Identity Cloud tenant. Replace <SourceName> with the appropriate source from the list above, and add the required begin and end times:

curl --get \ --header 'x-api-key: <API-KEY>' \ --header 'x-api-secret: <API-SECRET>' \ --data 'beginTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --data 'endTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --data 'source=<SourceName>' \ 'https://<tenant-name>.forgeblocks.com/monitoring/logs'

Note

To reduce the size of the output, logging queries are restricted to within a 24-hour period.

Source descriptions

Source Type Description
am-access Audit

Captures all incoming Identity Cloud access calls as audit events. This includes who, what, when, and the output for every access request. 

Audit events

  • AM-ACCESS-ATTEMPT
  • AM-ACCESS-OUTCOME

Example output

{         "payload" : {             "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783933",             "client" : {                "ip" : "198.51.100.0"             },             "component" : "OAuth",             "eventName" : "AM-ACCESS-ATTEMPT",             "http" : {                "request" : {                   "headers" : {                      "content-type" : [                         "application/x-www-form-urlencoded"                      ],                      "host" : [                         "<tenant-name>.forgeblocks.com"                      ],                      "user-agent" : [                         "Apache-HttpClient/4.5.13 (Java/11.0.11)"                      ],                      "x-forwarded-for" : [                         "198.51.100.0, 203.0.113.0, 192.0.2.255"                      ],                      "x-forwarded-proto" : [                         "https"                      ]                   },                   "method" : "POST",                   "path" : "https://<tenant-name>.forgeblocks.com/am/oauth2/realms/root/realms/alpha/access_token",                   "secure" : true                }             },             "level" : "INFO",             "realm" : "/alpha",             "request" : {                "detail" : {                   "client_id" : "RCSClient",                   "grant_type" : "client_credentials",                   "scope" : "fr:idm:*"                }             },             "source" : "audit",             "timestamp" : "2021-10-13T09:20:08.646Z",             "topic" : "access",             "transactionId" : "1634116808645-2e50ecbf0df5407a6870-226587/0"          },          "timestamp" : "2021-10-13T09:20:08.648449536Z",          "type" : "application/json"       },       {          "payload" : {             "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783941",             "client" : {                "ip" : "198.51.100.0"             },             "component" : "OAuth",             "eventName" : "AM-ACCESS-OUTCOME",             "http" : {                "request" : {                   "headers" : {                      "content-type" : [                         "application/x-www-form-urlencoded"                      ],                      "host" : [                         "<tenant-name>.forgeblocks.com"                      ],                      "user-agent" : [                         "Apache-HttpClient/4.5.13 (Java/11.0.11)"                      ],                      "x-forwarded-for" : [                         "198.51.100.0, 203.0.113.0, 192.0.2.255"                      ],                      "x-forwarded-proto" : [                         "https"                      ]                   },                   "method" : "POST",                   "path" : "https://<tenant-name>.forgeblocks.com/am/oauth2/realms/root/realms/alpha/access_token",                   "secure" : true                }             },             "level" : "INFO",             "realm" : "/alpha",             "response" : {                "detail" : {                   "scope" : "fr:idm:*",                   "token_type" : "Bearer"                },                "elapsedTime" : 50,                "elapsedTimeUnits" : "MILLISECONDS",                "status" : "SUCCESSFUL",                "statusCode" : "200"             },             "source" : "audit",             "timestamp" : "2021-10-13T09:20:08.696Z",             "topic" : "access",             "trackingIds" : [                "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783934",                "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783939"             ],             "transactionId" : "1634116808645-2e50ecbf0df5407a6870-226587/0",             "userId" : "id=RCSClient,ou=agent,o=alpha,ou=services,ou=am-config"          },          "timestamp" : "2021-10-13T09:20:08.696794524Z",          "type" : "application/json"       },

Further information

See Access Log Format for information on am_access properties.

am-activity Audit

Captures state changes to objects that have been created, updated, or deleted by Identity Cloud end-users. This includes session, user profile, and device profile changes.

Audit events

  • AM-SELFSERVICE-REGISTRATION-COMPLETED
  • AM-SELFSERVICE-PASSWORDCHANGE-COMPLETED
  • AM-SESSION-CREATED
  • AM-SESSION-IDLE_TIME_OUT
  • AM-SESSION-MAX_TIMED_OUT
  • AM-SESSION-LOGGED_OUT
  • AM-SESSION-DESTROYED
  • AM-SESSION-PROPERTY_CHANGED
  • AM-IDENTITY-CHANGE
  • AM-GROUP-CHANGE

Example output

{         "timestamp" : "2021-08-25T12:19:15.247547764Z",          "payload" : {             "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195032",             "objectId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195023",             "transactionId" : "cf2a721c-9cec-4224-bdd1-3a33e1f8ed56/4",             "level" : "INFO",             "eventName" : "AM-SESSION-CREATED",             "timestamp" : "2021-08-25T12:19:15.246Z",             "component" : "Session",             "source" : "audit",             "topic" : "activity",             "trackingIds" : [                "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195023"             ],             "realm" : "/",             "userId" : "id=amadmin,ou=user,ou=am-config",             "runAs" : "id=amadmin,ou=user,ou=am-config",             "operation" : "CREATE"          },          "type" : "application/json"       },       {          "type" : "application/json",          "timestamp" : "2021-08-25T12:19:27.761843277Z",          "payload" : {             "transactionId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-1",             "level" : "INFO",             "eventName" : "AM-SESSION-IDLE_TIMED_OUT",             "timestamp" : "2021-08-25T12:19:27.761Z",             "component" : "Session",             "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195043",             "objectId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-187839",             "trackingIds" : [                "3fc956b8-00a1-4e10-b8aa-72295d003bfb-65488",                "3fc956b8-00a1-4e10-b8aa-72295d003bfb-187839"             ],             "realm" : "/",             "runAs" : "",             "userId" : "id=amadmin,ou=user,ou=am-config",             "operation" : "DELETE",             "topic" : "activity",             "source" : "audit"          }       },

Further information

See Activity Log Format for information on am_activity properties.

am-authentication Audit

Captures when and how a user is authenticated and related audit events. 

Identity Cloud records an authentication audit event for each authentication node and the journey outcome. A node can provide extra data in the standard audit event, which is logged when an authentication node completes. Identity Cloud logs an AM-NODE-LOGIN-COMPLETED audit event each time an authentication node completes. 

Audit events

  • AM-LOGOUT
  • AM-LOGIN-COMPLETED
  • AM-LOGIN-MODULE-COMPLETED
  • AM-NODE-LOGIN-COMPLETED
  • AM-TREE-LOGIN-COMPLETED

Example output

{        "type" : "application/json",         "timestamp" : "2021-08-25T11:33:32.56492651Z",         "payload" : {            "topic" : "authentication",            "eventName" : "AM-NODE-LOGIN-COMPLETED",            "transactionId" : "ad56bedd-7dab-45d1-84d9-505b0b64fd6d/6",            "principal" : [               "amadmin"            ],            "timestamp" : "2021-08-25T11:33:32.564Z",            "component" : "Authentication",            "source" : "audit",            "realm" : "/",            "entries" : [               {                  "info" : {                     "authLevel" : "0",                     "displayName" : "Page Node",                     "nodeId" : "83a9d86e-d6f5-11ea-87d0-0242ac130003",                     "nodeOutcome" : "outcome",                     "treeName" : "FRLogin",                     "nodeType" : "PageNode"                  }               }            ],            "level" : "INFO",            "trackingIds" : [               "3fc956b8-00a1-4e10-b8aa-72295d003bfb-184020"            ],            "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-184022"         }      },

Further information

See Authentication Log Format for information on am_authentication properties.

am-config Audit

Captures access management configuration changes for Identity Cloud with a timestamp and by whom. 

Configuration changes can only be performed in the Development environment, so these logs will be empty in Staging and Production environments. When promoting the environment, ForgeRock will provide a promotion report which includes the changes in the config logs for Development that have been made since the last promotion. See Promote Configuration for further information on promoting configuration.

Audit events

  • AM-CONFIG-CHANGE

Example output

{         "payload" : {             "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-822860",             "eventName" : "AM-CONFIG-CHANGE",             "level" : "INFO",             "objectId" : "ou=Office365,ou=dashboardApp,ou=default,ou=GlobalConfig,ou=1.0,ou=dashboardService,ou=services,ou=am-config",             "operation" : "CREATE",             "runAs" : "id=bd220328-9762-458b-b05a-982ac3c7fc54,ou=user,ou=am-config",             "source" : "audit",             "timestamp" : "2021-10-13T10:47:38.663Z",             "topic" : "config",             "trackingIds" : [                "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-821644"             ],             "transactionId" : "1634122041174-2e50ecbf0df5407a6870-229391/0",             "userId" : "id=bd220328-9762-458b-b05a-982ac3c7fc54,ou=user,ou=am-config"          },          "timestamp" : "2021-10-13T10:47:38.668823043Z",          "type" : "application/json"       },

Further information

See Config Log Format for information on am_configuration properties.

am-core Debug

Captures access management debug logs for Identity Cloud. Use am-core when debugging anything in access management without wanting to capture audit events.

In order to reduce log volumes, Staging and Production instances provide WARN level logs only.

For troubleshooting and to view the latest entries in the stored logs, you can tail am-core source, as described here: Tailing Logs

Example output

{         "timestamp" : "2021-08-03T08:00:33.099287329Z",          "type" : "application/json",          "payload" : {             "mdc" : {                "transactionId" : "eb8fc308-a81a-4567-a106-523cd8c6dec3/18"             },             "timestamp" : "2021-08-03T08:00:33.098Z",             "transactionId" : "eb8fc308-a81a-4567-a106-523cd8c6dec3/18",             "level" : "DEBUG",             "thread" : "http-nio-8080-exec-6",             "message" : "AuthenticationOperations selected.",             "context" : "default",             "logger" : "com.iplanet.dpro.session.operations.ServerSessionOperationStrategy"          }       },

am-everything Audit, Debug Captures all access management audit and debug logs for Identity Cloud. This includes all the logs captured in am-access, am-activity, am-authentication, am-config and am-core.
idm-access Audit

Captures messages for the identity management REST endpoints and the invocation of scheduled tasks. This is the who, what, and output for every identity management access request in Identity Cloud.

Audit events

  • access

Example output

{         "type" : "application/json",          "payload" : {             "response" : {                "status" : "SUCCESSFUL",                "elapsedTimeUnits" : "MILLISECONDS",                "statusCode" : "200",                "elapsedTime" : 3             },             "server" : {                "ip" : "198.51.100.0",                "port" : 8080             },             "roles" : [                "internal/role/openidm-reg"             ],             "eventName" : "access",             "http" : {                "request" : {                   "path" : "http://idm/openidm/info/ping",                   "secure" : false,                   "method" : "GET",                   "headers" : {                      "host" : [                         "idm"                      ]                   }                }             },             "request" : {                "protocol" : "CREST",                "operation" : "READ"             },             "_id" : "5148ad59-d2fb-4207-a7d2-43f942ba93e7-6841755",             "transactionId" : "5148ad59-d2fb-4207-a7d2-43f942ba93e7-6841744",             "userId" : "anonymous",             "timestamp" : "2021-08-03T08:05:43.617Z",             "client" : {                "port" : 8080,                "ip" : "198.51.100.0"             }          },          "timestamp" : "2021-08-03T08:05:46.054580251Z"       },

Further information

See Access Event Topic Properties for information on idm-access event properties.

idm-activity Audit

Captures operations on internal (managed) and external (system) objects in Identity Cloud. idm-activity logs the changes to identity content, such as adding or updating users, changing passwords, etc. 

Audit events

  • activity

Example output

{         "timestamp" : "2021-08-27T15:14:49.508370169Z",          "type" : "application/json",          "payload" : {             "_id" : "eebf2abb-e4f1-428f-8fbb-8c18ed3f9559-218925",             "transactionId" : "1630077288251-f5190abcb8c2d0d42c31-136380/0",             "message" : "",             "timestamp" : "2021-08-27T15:14:48.43Z",             "eventName" : "activity",             "userId" : "bd220328-9762-458b-b05a-982ac3c7fc54",             "revision" : "00000000478fd92b",             "operation" : "PATCH",             "changedFields" : [],             "runAs" : "bd220328-9762-458b-b05a-982ac3c7fc54",             "passwordChanged" : true,             "status" : "SUCCESS",             "objectId" : "managed/alpha_user/e70c4476-1305-408a-9246-ac76c64ba039"          }       },

Further information

See Activity Event Topic Properties for information on idm-access event properties. 

See How do I extend auditing in Identity Cloud to include additional fields? to include additional fields for managed object activities.

idm-authentication Audit

Captures the results when you authenticate to an /openidm​ endpoint to complete certain actions on an object. 

If there is an existing authentication session in access management, another authentication to identity management is not required as the session is valid for the operation. In this case, you would see authentication logs for am-authentication; for identity management, the logs would be available in idm-access and idm-activity.

Audit events

  • authentication

Further information

See Authentication Event Topic Properties for information on idm-authentication event properties.

idm-config Audit

Captures configuration changes to Identity Cloud with a timestamp and by whom. 

Configuration changes can only be performed in the Development environment, so these logs will be empty in Staging and Production environments. When promoting the environment, ForgeRock will provide a promotion report which includes the changes in the config logs for Development that have been made since the last promotion. See Promote Configuration for further information on promoting configuration.

Audit events

  • CONFIG

Example output

{        "payload" : {            "_id" : "f6a3a7b2-aaf3-426d-a998-a970f84bdf4b-1519486",            "changedFields" : [               "/mappings"            ],            "eventName" : "CONFIG",            "objectId" : "sync",            "operation" : "UPDATE",            "revision" : null,            "runAs" : "bd220328-9762-458b-b05a-982ac3c7fc54",            "timestamp" : "2021-10-12T16:05:47.217Z",            "transactionId" : "1634054726312-2e50ecbf0df5407a6870-202437/0",            "userId" : "bd220328-9762-458b-b05a-982ac3c7fc54"         },

Further information

See Configuration Event Topic Properties for information on idm-configuration event properties.

idm-core Debug

Captures debug logs for Identity Cloud. Use idm-core when debugging anything in identity management without wanting to capture audit events.

In order to reduce log volumes, Staging and Production instances include INFO and WARNING level logs only.

For troubleshooting and to view the latest entries in the stored logs, you can tail idm-core source, as described here: Tailing Logs

Example output

{         "type" : "text/plain",          "timestamp" : "2021-08-31T01:00:38.083008561Z",          "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.config.manage.ConfigObjectService read\n"       },       {          "payload" : "FINE: Read configuration for service access\n",          "timestamp" : "2021-08-31T01:00:38.083020673Z",          "type" : "text/plain"       },       {          "timestamp" : "2021-08-31T01:00:38.083262771Z",          "type" : "text/plain",          "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.script.scope.FunctionFactory$4 call\n"       },       {          "payload" : "FINE: Access Check for HTTP request for resource id: info/ping, role: [internal/role/openidm-reg], method: read, action: \n",          "timestamp" : "2021-08-31T01:00:38.083276635Z",          "type" : "text/plain"       },       {          "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.script.scope.FunctionFactory$4 call\n",          "type" : "text/plain",          "timestamp" : "2021-08-31T01:00:38.083586497Z"       },       {          "payload" : "FINE: Request allowed\n",          "timestamp" : "2021-08-31T01:00:38.083612635Z",          "type" : "text/plain"       },       {          "type" : "text/plain",          "timestamp" : "2021-08-31T01:00:39.326788471Z",          "payload" : "Aug 31, 2021 1:00:39 AM org.forgerock.openidm.internal.InternalObjectSet readInstance\n"       },

idm-everything Audit, Debug Captures identity management audit and debug logs for Identity Cloud. This includes all the logs captured in idm-access, idm-activity, idm-authentication, idm-config and idm-core.
idm-sync Audit

Captures any changes made to an object resulting in automatic sync (live sync and implicit sync) to occur when you have a repository mapped to Identity Cloud. This includes situations and the actions taken on each object, by account. The idm-activity log contains additional details about each action.

Further information

See Synchronization Event Topic Properties for information on idm-sync event properties.

userstore-config-audit  

Captures configuration changes to the identity store, including changes to your tenant's password policy made through the Identity Cloud Admin UI.

Example output

{         "payload" : "replace: ds-cfg-password-history-count\n",          "timestamp" : "2021-10-13T09:19:50.162871555Z",          "type" : "text/plain"       },       {          "payload" : "ds-cfg-password-history-count: 1\n",          "timestamp" : "2021-10-13T09:19:50.162877212Z",          "type" : "text/plain"       },       {          "payload" : "-\n",          "timestamp" : "2021-10-13T09:19:50.162883094Z",          "type" : "text/plain"       },       {          "payload" : "replace: ds-cfg-allow-pre-encoded-passwords\n",          "timestamp" : "2021-10-13T09:19:50.162889023Z",          "type" : "text/plain"       },       {          "payload" : "ds-cfg-allow-pre-encoded-passwords: true\n",          "timestamp" : "2021-10-13T09:19:50.162894647Z",          "type" : "text/plain"       },

See Also

How do I extend auditing in Identity Cloud to include additional fields?

View Audit Logs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.