Product Q&As
ForgeRock Identity Cloud

What logging sources are available in Identity Cloud?

Last updated Mar 23, 2023

The purpose of this article is to describe the sources available for audit and debug logging in ForgeRock Identity Cloud. These logs can be useful for troubleshooting.


3 readers recommend this article

Overview

Identity Cloud provides audit logging to help you to investigate user and system behavior, and debug logging to help you and ForgeRock support staff investigate any issues which may arise in production. 

Logs in Identity Cloud are stored in various sources, allowing you to view just the logs you are interested in. These sources include:  

Note

Identity Cloud stores audit data for 30 days. To keep audit data for longer, you'll need to store it in your own data stores. Currently, you can only gather audit logs by pulling them from the REST API endpoint (/monitoring/logs).

Viewing the logs

To view the logs in Identity Cloud, you'll use the /monitoring/logs API endpoint. You'll need an API key and secret before you can authenticate to this endpoint. See Authenticate to Identity Cloud REST API with API key and secret for further information.

You can get a list of available sources by running the following command, replacing the <API-KEY> and <API-SECRET> with your own details, and <tenant-env-fqdn> with the name of your Identity Cloud tenant:

curl \ --header 'x-api-key: <API-KEY>' \ --header 'x-api-secret: <API-SECRET>' \ 'https://<tenant-env-fqdn>/monitoring/logs/sources'

The output appears similar to this:

{   "resultCount" : 14,    "pagedResultsCookie" : null,    "remainingPagedResults" : 0,    "result" : [       "am-access",       "am-activity",       "am-authentication",       "am-config",       "am-core",       "am-everything",       "idm-access",       "idm-activity",       "idm-authentication",       "idm-config",       "idm-core",       "idm-everything",       "idm-recon",       "idm-sync",    ],    "totalPagedResultsPolicy" : "NONE",    "totalPagedResults" : 1

Viewing the logs for a source

To view the logs for a source, run the following command, replacing the <API-KEY> and <API-SECRET> with your own details, and <tenant-env-fqdn> with the name of your Identity Cloud tenant. Replace <SourceName> with the appropriate source from the list above, and add the required begin and end times:

curl --get \ --header 'x-api-key: <API-KEY>' \ --header 'x-api-secret: <API-SECRET>' \ --data 'beginTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --data 'endTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --data 'source=<SourceName>' \ 'https://<tenant-env-fqdn>/monitoring/logs'

Note

If you are using Postman, use this format instead:

curl --location --request GET 'https://<tenant-env-fqdn>/monitoring/logs?key=&source=<SourceName>&beginTime=yyyy-mm-ddThh:mm:ss.ssZ&endTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --header 'x-api-key: <API-KEY> ' \ --header 'x-api-secret: <API-SECRET> '

Note

To reduce the size of the output, logging queries are restricted to within a 24-hour period.

Source descriptions

Source Type Description
am-access Audit

Captures all incoming Identity Cloud access calls as audit events. This includes who, what, when, and the output for every access request. 

Audit events

  • AM-ACCESS-ATTEMPT
  • AM-ACCESS-OUTCOME

Example output

{         "payload" : {             "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783933",             "client" : {                "ip" : "198.51.100.0"             },             "component" : "OAuth",             "eventName" : "AM-ACCESS-ATTEMPT",             "http" : {                "request" : {                   "headers" : {                      "content-type" : [                         "application/x-www-form-urlencoded"                      ],                      "host" : [                         "<tenant-env-fqdn>"                      ],                      "user-agent" : [                         "Apache-HttpClient/4.5.13 (Java/11.0.11)"                      ],                      "x-forwarded-for" : [                         "198.51.100.0, 203.0.113.0, 192.0.2.255"                      ],                      "x-forwarded-proto" : [                         "https"                      ]                   },                   "method" : "POST",                   "path" : "https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token",                   "secure" : true                }             },             "level" : "INFO",             "realm" : "/alpha",             "request" : {                "detail" : {                   "client_id" : "RCSClient",                   "grant_type" : "client_credentials",                   "scope" : "fr:idm:*"                }             },             "source" : "audit",             "timestamp" : "2021-10-13T09:20:08.646Z",             "topic" : "access",             "transactionId" : "1634116808645-2e50ecbf0df5407a6870-226587/0"          },          "timestamp" : "2021-10-13T09:20:08.648449536Z",          "type" : "application/json"       },       {          "payload" : {             "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783941",             "client" : {                "ip" : "198.51.100.0"             },             "component" : "OAuth",             "eventName" : "AM-ACCESS-OUTCOME",             "http" : {                "request" : {                   "headers" : {                      "content-type" : [                         "application/x-www-form-urlencoded"                      ],                      "host" : [                         "<tenant-env-fqdn>"                      ],                      "user-agent" : [                         "Apache-HttpClient/4.5.13 (Java/11.0.11)"                      ],                      "x-forwarded-for" : [                         "198.51.100.0, 203.0.113.0, 192.0.2.255"                      ],                      "x-forwarded-proto" : [                         "https"                      ]                   },                   "method" : "POST",                   "path" : "https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token",                   "secure" : true                }             },             "level" : "INFO",             "realm" : "/alpha",             "response" : {                "detail" : {                   "scope" : "fr:idm:*",                   "token_type" : "Bearer"                },                "elapsedTime" : 50,                "elapsedTimeUnits" : "MILLISECONDS",                "status" : "SUCCESSFUL",                "statusCode" : "200"             },             "source" : "audit",             "timestamp" : "2021-10-13T09:20:08.696Z",             "topic" : "access",             "trackingIds" : [                "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783934",                "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783939"             ],             "transactionId" : "1634116808645-2e50ecbf0df5407a6870-226587/0",             "userId" : "id=RCSClient,ou=agent,o=alpha,ou=services,ou=am-config"          },          "timestamp" : "2021-10-13T09:20:08.696794524Z",          "type" : "application/json"       },

Further information

See Access Log Format for information on am_access properties.

am-activity Audit

Captures state changes to objects that have been created, updated, or deleted by Identity Cloud end users. This includes session, user profile, and device profile changes.

Audit events

  • AM-SELFSERVICE-REGISTRATION-COMPLETED
  • AM-SELFSERVICE-PASSWORDCHANGE-COMPLETED
  • AM-SESSION-CREATED
  • AM-SESSION-IDLE_TIME_OUT
  • AM-SESSION-MAX_TIMED_OUT
  • AM-SESSION-LOGGED_OUT
  • AM-SESSION-DESTROYED
  • AM-SESSION-PROPERTY_CHANGED
  • AM-IDENTITY-CHANGE
  • AM-GROUP-CHANGE

Example output

{         "timestamp" : "2021-08-25T12:19:15.247547764Z",          "payload" : {             "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195032",             "objectId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195023",             "transactionId" : "cf2a721c-9cec-4224-bdd1-3a33e1f8ed56/4",             "level" : "INFO",             "eventName" : "AM-SESSION-CREATED",             "timestamp" : "2021-08-25T12:19:15.246Z",             "component" : "Session",             "source" : "audit",             "topic" : "activity",             "trackingIds" : [                "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195023"             ],             "realm" : "/",             "userId" : "id=amadmin,ou=user,ou=am-config",             "runAs" : "id=amadmin,ou=user,ou=am-config",             "operation" : "CREATE"          },          "type" : "application/json"       },       {          "type" : "application/json",          "timestamp" : "2021-08-25T12:19:27.761843277Z",          "payload" : {             "transactionId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-1",             "level" : "INFO",             "eventName" : "AM-SESSION-IDLE_TIMED_OUT",             "timestamp" : "2021-08-25T12:19:27.761Z",             "component" : "Session",             "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195043",             "objectId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-187839",             "trackingIds" : [                "3fc956b8-00a1-4e10-b8aa-72295d003bfb-65488",                "3fc956b8-00a1-4e10-b8aa-72295d003bfb-187839"             ],             "realm" : "/",             "runAs" : "",             "userId" : "id=amadmin,ou=user,ou=am-config",             "operation" : "DELETE",             "topic" : "activity",             "source" : "audit"          }       },

Further information

See Activity Log Format for information on am_activity properties.

am-authentication Audit

Captures when and how a user is authenticated and related audit events. 

Identity Cloud records an authentication audit event for each authentication node and the journey outcome. A node can provide extra data in the standard audit event, which is logged when an authentication node completes. Identity Cloud logs an AM-NODE-LOGIN-COMPLETED audit event each time an authentication node completes. 

Audit events

  • AM-LOGOUT
  • AM-LOGIN-COMPLETED
  • AM-LOGIN-MODULE-COMPLETED
  • AM-NODE-LOGIN-COMPLETED
  • AM-TREE-LOGIN-COMPLETED

Example output

{        "type" : "application/json",         "timestamp" : "2021-08-25T11:33:32.56492651Z",         "payload" : {            "topic" : "authentication",            "eventName" : "AM-NODE-LOGIN-COMPLETED",            "transactionId" : "ad56bedd-7dab-45d1-84d9-505b0b64fd6d/6",            "principal" : [               "amadmin"            ],            "timestamp" : "2021-08-25T11:33:32.564Z",            "component" : "Authentication",            "source" : "audit",            "realm" : "/",            "entries" : [               {                  "info" : {                     "authLevel" : "0",                     "displayName" : "Page Node",                     "nodeId" : "83a9d86e-d6f5-11ea-87d0-0242ac130003",                     "nodeOutcome" : "outcome",                     "treeName" : "FRLogin",                     "nodeType" : "PageNode"                  }               }            ],            "level" : "INFO",            "trackingIds" : [               "3fc956b8-00a1-4e10-b8aa-72295d003bfb-184020"            ],            "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-184022"         }      },

Further information

See Authentication Log Format for information on am_authentication properties.

am-config Audit

Captures access management configuration changes for Identity Cloud with a timestamp and by whom. 

Configuration changes can only be performed in the Development environment, so these logs will be empty in Staging and Production environments.

Audit events

  • AM-CONFIG-CHANGE

Example output

{         "payload" : {             "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-822860",             "eventName" : "AM-CONFIG-CHANGE",             "level" : "INFO",             "objectId" : "ou=Office365,ou=dashboardApp,ou=default,ou=GlobalConfig,ou=1.0,ou=dashboardService,ou=services,ou=am-config",             "operation" : "CREATE",             "runAs" : "id=bd220328-9762-458b-b05a-982ac3c7fc54,ou=user,ou=am-config",             "source" : "audit",             "timestamp" : "2021-10-13T10:47:38.663Z",             "topic" : "config",             "trackingIds" : [                "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-821644"             ],             "transactionId" : "1634122041174-2e50ecbf0df5407a6870-229391/0",             "userId" : "id=bd220328-9762-458b-b05a-982ac3c7fc54,ou=user,ou=am-config"          },          "timestamp" : "2021-10-13T10:47:38.668823043Z",          "type" : "application/json"       },

Further information

See Config Log Format for information on am_configuration properties.

am-core Debug

Captures access management debug logs for Identity Cloud. Use am-core when debugging anything in access management without wanting to capture audit events.

Development and Sandbox environments provide DEBUG level logs, with logs in several areas tuned to INFO or WARNING to reduce log volumes.

In order to reduce log volumes, Staging and Production environments provide WARNING level logs only.

For troubleshooting and to view the latest entries in the stored logs, you can tail am-core source, as described here: Tail Logs

Example output

{         "timestamp" : "2021-08-03T08:00:33.099287329Z",          "type" : "application/json",          "payload" : {             "mdc" : {                "transactionId" : "eb8fc308-a81a-4567-a106-523cd8c6dec3/18"             },             "timestamp" : "2021-08-03T08:00:33.098Z",             "transactionId" : "eb8fc308-a81a-4567-a106-523cd8c6dec3/18",             "level" : "DEBUG",             "thread" : "http-nio-8080-exec-6",             "message" : "AuthenticationOperations selected.",             "context" : "default",             "logger" : "com.iplanet.dpro.session.operations.ServerSessionOperationStrategy"          }       },

am-everything Audit, Debug Captures all access management audit and debug logs for Identity Cloud. This includes all the logs captured in am-access, am-activity, am-authentication, am-config and am-core.
idm-access Audit

Captures messages for the identity management REST endpoints and the invocation of scheduled tasks. This is the who, what, and output for every identity management access request in Identity Cloud.

Audit events

  • access

Example output

{         "type" : "application/json",          "payload" : {             "response" : {                "status" : "SUCCESSFUL",                "elapsedTimeUnits" : "MILLISECONDS",                "statusCode" : "200",                "elapsedTime" : 3             },             "server" : {                "ip" : "198.51.100.0",                "port" : 8080             },             "roles" : [                "internal/role/openidm-reg"             ],             "eventName" : "access",             "http" : {                "request" : {                   "path" : "http://idm/openidm/info/ping",                   "secure" : false,                   "method" : "GET",                   "headers" : {                      "host" : [                         "idm"                      ]                   }                }             },             "request" : {                "protocol" : "CREST",                "operation" : "READ"             },             "_id" : "5148ad59-d2fb-4207-a7d2-43f942ba93e7-6841755",             "transactionId" : "5148ad59-d2fb-4207-a7d2-43f942ba93e7-6841744",             "userId" : "anonymous",             "timestamp" : "2021-08-03T08:05:43.617Z",             "client" : {                "port" : 8080,                "ip" : "198.51.100.0"             }          },          "timestamp" : "2021-08-03T08:05:46.054580251Z"       },

Further information

See Access Event Topic Properties for information on idm-access event properties.

idm-activity Audit

Captures operations on internal (managed) and external (system) objects in Identity Cloud. idm-activity logs the changes to identity content, such as adding or updating users, changing passwords, etc. 

Audit events

  • activity

Example output

{         "timestamp" : "2021-08-27T15:14:49.508370169Z",          "type" : "application/json",          "payload" : {             "_id" : "eebf2abb-e4f1-428f-8fbb-8c18ed3f9559-218925",             "transactionId" : "1630077288251-f5190abcb8c2d0d42c31-136380/0",             "message" : "",             "timestamp" : "2021-08-27T15:14:48.43Z",             "eventName" : "activity",             "userId" : "bd220328-9762-458b-b05a-982ac3c7fc54",             "revision" : "00000000478fd92b",             "operation" : "PATCH",             "changedFields" : [],             "runAs" : "bd220328-9762-458b-b05a-982ac3c7fc54",             "passwordChanged" : true,             "status" : "SUCCESS",             "objectId" : "managed/alpha_user/e70c4476-1305-408a-9246-ac76c64ba039"          }       },

Further information

See Activity Event Topic Properties for information on idm-access event properties. 

See  How do I extend auditing in Identity Cloud to include additional fields? to include additional fields for managed object activities.

idm-authentication Audit

Captures the results when you authenticate to an /openidm​ endpoint to complete certain actions on an object. 

If there is an existing authentication session in access management, another authentication to identity management is not required as the session is valid for the operation. In this case, you would see authentication logs for am-authentication; for identity management, the logs would be available in idm-access and idm-activity.

Audit events

  • authentication

Further information

See Authentication Event Topic Properties for information on idm-authentication event properties.

idm-config Audit

Captures configuration changes to Identity Cloud with a timestamp and by whom. 

Configuration changes can only be performed in the Development environment, so these logs will be empty in Staging and Production environments.

Audit events

  • CONFIG

Example output

{        "payload" : {            "_id" : "f6a3a7b2-aaf3-426d-a998-a970f84bdf4b-1519486",            "changedFields" : [               "/mappings"            ],            "eventName" : "CONFIG",            "objectId" : "sync",            "operation" : "UPDATE",            "revision" : null,            "runAs" : "bd220328-9762-458b-b05a-982ac3c7fc54",            "timestamp" : "2021-10-12T16:05:47.217Z",            "transactionId" : "1634054726312-2e50ecbf0df5407a6870-202437/0",            "userId" : "bd220328-9762-458b-b05a-982ac3c7fc54"         },

Further information

See Configuration Event Topic Properties for information on idm-configuration event properties.

idm-core Debug

Captures identity management debug logs for Identity Cloud. Use idm-core when debugging anything in identity management without wanting to capture audit events.

Development and Sandbox environments provide FINE level logs, with logs in several areas tuned to INFO, WARNING and SEVERE to reduce log volumes.

In order to reduce log volumes, Staging and Production environments include INFO and WARNING level logs only.

For troubleshooting and to view the latest entries in the stored logs, you can tail idm-core source, as described here: Tail Logs

Example output

{         "type" : "text/plain",          "timestamp" : "2021-08-31T01:00:38.083008561Z",          "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.config.manage.ConfigObjectService read\n"       },       {          "payload" : "FINE: Read configuration for service access\n",          "timestamp" : "2021-08-31T01:00:38.083020673Z",          "type" : "text/plain"       },       {          "timestamp" : "2021-08-31T01:00:38.083262771Z",          "type" : "text/plain",          "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.script.scope.FunctionFactory$4 call\n"       },       {          "payload" : "FINE: Access Check for HTTP request for resource id: info/ping, role: [internal/role/openidm-reg], method: read, action: \n",          "timestamp" : "2021-08-31T01:00:38.083276635Z",          "type" : "text/plain"       },       {          "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.script.scope.FunctionFactory$4 call\n",          "type" : "text/plain",          "timestamp" : "2021-08-31T01:00:38.083586497Z"       },       {          "payload" : "FINE: Request allowed\n",          "timestamp" : "2021-08-31T01:00:38.083612635Z",          "type" : "text/plain"       },       {          "type" : "text/plain",          "timestamp" : "2021-08-31T01:00:39.326788471Z",          "payload" : "Aug 31, 2021 1:00:39 AM org.forgerock.openidm.internal.InternalObjectSet readInstance\n"       },

idm-everything Audit, Debug Captures identity management audit and debug logs for Identity Cloud. This includes all the logs captured in idm-access, idm-activity, idm-authentication, idm-config, idm-recon, idm-sync and idm-core.
idm-recon Audit

Captures identity management reconciliation events for Identity Cloud. 

The corresponding audit topic for idm-recon is disabled by default in Identity Cloud. You will need to enable the recon event handler for reconciliation events to appear in the audit logs. See Update audit configuration for information on how to enable the recon event handler.  

Further information

See Reconciliation event topic properties for information on idm-recon event properties.

idm-sync Audit

Captures any changes made to an object resulting in automatic sync (live sync and implicit sync) to occur when you have a repository mapped to Identity Cloud. This includes situations and the actions taken on each object, by account. The idm-activity log contains additional details about each action.

Further information

See Synchronization Event Topic Properties for information on idm-sync event properties.

See Also

How do I extend auditing in Identity Cloud to include additional fields?

View Audit and Debug Logs

What environments are available in Identity Cloud and what is the promotion process?


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.