What logging sources are available in Identity Cloud?
The purpose of this article is to describe the sources available for audit and debug logging in ForgeRock Identity Cloud. These logs can be useful for troubleshooting.
3 readers recommend this article
Overview
Identity Cloud provides audit logging to help you to investigate user and system behavior, and debug logging to help you and ForgeRock support staff investigate any issues which may arise in production.
Logs in Identity Cloud are stored in various sources, allowing you to view just the logs you are interested in. These sources include:
- am-access
- am-activity
- am-authentication
- am-config
- am-core
- am-everything
- idm-access
- idm-activity
- idm-authentication
- idm-config
- idm-core
- idm-everything
-
idm-recon - idm-sync
Note
Identity Cloud stores audit data for 30 days. To keep audit data for longer, you'll need to store it in your own data stores. Currently, you can only gather audit logs by pulling them from the REST API endpoint (/monitoring/logs).
Viewing the logs
To view the logs in Identity Cloud, you'll use the /monitoring/logs API endpoint. You'll need an API key and secret before you can authenticate to this endpoint. See Authenticate to Identity Cloud REST API with API key and secret for further information.
You can get a list of available sources by running the following command, replacing the <API-KEY> and <API-SECRET> with your own details, and <tenant-env-fqdn> with the name of your Identity Cloud tenant:
curl \ --header 'x-api-key: <API-KEY>' \ --header 'x-api-secret: <API-SECRET>' \ 'https://<tenant-env-fqdn>/monitoring/logs/sources'
{ "resultCount" : 14, "pagedResultsCookie" : null, "remainingPagedResults" : 0, "result" : [ "am-access", "am-activity", "am-authentication", "am-config", "am-core", "am-everything", "idm-access", "idm-activity", "idm-authentication", "idm-config", "idm-core", "idm-everything", "idm-recon", "idm-sync", ], "totalPagedResultsPolicy" : "NONE", "totalPagedResults" : 1
Viewing the logs for a source
To view the logs for a source, run the following command, replacing the <API-KEY> and <API-SECRET> with your own details, and <tenant-env-fqdn> with the name of your Identity Cloud tenant. Replace <SourceName> with the appropriate source from the list above, and add the required begin and end times:
curl --get \ --header 'x-api-key: <API-KEY>' \ --header 'x-api-secret: <API-SECRET>' \ --data 'beginTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --data 'endTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --data 'source=<SourceName>' \ 'https://<tenant-env-fqdn>/monitoring/logs'
Note
If you are using Postman, use this format instead:
curl --location --request GET 'https://<tenant-env-fqdn>/monitoring/logs?key=&source=<SourceName>&beginTime=yyyy-mm-ddThh:mm:ss.ssZ&endTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --header 'x-api-key: <API-KEY> ' \ --header 'x-api-secret: <API-SECRET> '
Note
To reduce the size of the output, logging queries are restricted to within a 24-hour period.
Source descriptions
| Source | Type | Description |
|---|---|---|
| am-access | Audit |
Captures all incoming Identity Cloud access calls as audit events. This includes who, what, when, and the output for every access request. Audit events
Example output { "payload" : { "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783933", "client" : { "ip" : "198.51.100.0" }, "component" : "OAuth", "eventName" : "AM-ACCESS-ATTEMPT", "http" : { "request" : { "headers" : { "content-type" : [ "application/x-www-form-urlencoded" ], "host" : [ "<tenant-env-fqdn>" ], "user-agent" : [ "Apache-HttpClient/4.5.13 (Java/11.0.11)" ], "x-forwarded-for" : [ "198.51.100.0, 203.0.113.0, 192.0.2.255" ], "x-forwarded-proto" : [ "https" ] }, "method" : "POST", "path" : "https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token", "secure" : true } }, "level" : "INFO", "realm" : "/alpha", "request" : { "detail" : { "client_id" : "RCSClient", "grant_type" : "client_credentials", "scope" : "fr:idm:*" } }, "source" : "audit", "timestamp" : "2021-10-13T09:20:08.646Z", "topic" : "access", "transactionId" : "1634116808645-2e50ecbf0df5407a6870-226587/0" }, "timestamp" : "2021-10-13T09:20:08.648449536Z", "type" : "application/json" }, { "payload" : { "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783941", "client" : { "ip" : "198.51.100.0" }, "component" : "OAuth", "eventName" : "AM-ACCESS-OUTCOME", "http" : { "request" : { "headers" : { "content-type" : [ "application/x-www-form-urlencoded" ], "host" : [ "<tenant-env-fqdn>" ], "user-agent" : [ "Apache-HttpClient/4.5.13 (Java/11.0.11)" ], "x-forwarded-for" : [ "198.51.100.0, 203.0.113.0, 192.0.2.255" ], "x-forwarded-proto" : [ "https" ] }, "method" : "POST", "path" : "https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token", "secure" : true } }, "level" : "INFO", "realm" : "/alpha", "response" : { "detail" : { "scope" : "fr:idm:*", "token_type" : "Bearer" }, "elapsedTime" : 50, "elapsedTimeUnits" : "MILLISECONDS", "status" : "SUCCESSFUL", "statusCode" : "200" }, "source" : "audit", "timestamp" : "2021-10-13T09:20:08.696Z", "topic" : "access", "trackingIds" : [ "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783934", "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783939" ], "transactionId" : "1634116808645-2e50ecbf0df5407a6870-226587/0", "userId" : "id=RCSClient,ou=agent,o=alpha,ou=services,ou=am-config" }, "timestamp" : "2021-10-13T09:20:08.696794524Z", "type" : "application/json" }, Further information See Access Log Format for information on am_access properties. |
| am-activity | Audit |
Captures state changes to objects that have been created, updated, or deleted by Identity Cloud end users. This includes session, user profile, and device profile changes. Audit events
Example output { "timestamp" : "2021-08-25T12:19:15.247547764Z", "payload" : { "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195032", "objectId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195023", "transactionId" : "cf2a721c-9cec-4224-bdd1-3a33e1f8ed56/4", "level" : "INFO", "eventName" : "AM-SESSION-CREATED", "timestamp" : "2021-08-25T12:19:15.246Z", "component" : "Session", "source" : "audit", "topic" : "activity", "trackingIds" : [ "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195023" ], "realm" : "/", "userId" : "id=amadmin,ou=user,ou=am-config", "runAs" : "id=amadmin,ou=user,ou=am-config", "operation" : "CREATE" }, "type" : "application/json" }, { "type" : "application/json", "timestamp" : "2021-08-25T12:19:27.761843277Z", "payload" : { "transactionId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-1", "level" : "INFO", "eventName" : "AM-SESSION-IDLE_TIMED_OUT", "timestamp" : "2021-08-25T12:19:27.761Z", "component" : "Session", "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195043", "objectId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-187839", "trackingIds" : [ "3fc956b8-00a1-4e10-b8aa-72295d003bfb-65488", "3fc956b8-00a1-4e10-b8aa-72295d003bfb-187839" ], "realm" : "/", "runAs" : "", "userId" : "id=amadmin,ou=user,ou=am-config", "operation" : "DELETE", "topic" : "activity", "source" : "audit" } }, Further information See Activity Log Format for information on am_activity properties. |
| am-authentication | Audit |
Captures when and how a user is authenticated and related audit events. Identity Cloud records an authentication audit event for each authentication node and the journey outcome. A node can provide extra data in the standard audit event, which is logged when an authentication node completes. Identity Cloud logs an Audit events
Example output { "type" : "application/json", "timestamp" : "2021-08-25T11:33:32.56492651Z", "payload" : { "topic" : "authentication", "eventName" : "AM-NODE-LOGIN-COMPLETED", "transactionId" : "ad56bedd-7dab-45d1-84d9-505b0b64fd6d/6", "principal" : [ "amadmin" ], "timestamp" : "2021-08-25T11:33:32.564Z", "component" : "Authentication", "source" : "audit", "realm" : "/", "entries" : [ { "info" : { "authLevel" : "0", "displayName" : "Page Node", "nodeId" : "83a9d86e-d6f5-11ea-87d0-0242ac130003", "nodeOutcome" : "outcome", "treeName" : "FRLogin", "nodeType" : "PageNode" } } ], "level" : "INFO", "trackingIds" : [ "3fc956b8-00a1-4e10-b8aa-72295d003bfb-184020" ], "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-184022" } }, Further information See Authentication Log Format for information on am_authentication properties. |
| am-config | Audit |
Captures access management configuration changes for Identity Cloud with a timestamp and by whom. Configuration changes can only be performed in the Development environment, so these logs will be empty in Staging and Production environments. Audit events
Example output { "payload" : { "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-822860", "eventName" : "AM-CONFIG-CHANGE", "level" : "INFO", "objectId" : "ou=Office365,ou=dashboardApp,ou=default,ou=GlobalConfig,ou=1.0,ou=dashboardService,ou=services,ou=am-config", "operation" : "CREATE", "runAs" : "id=bd220328-9762-458b-b05a-982ac3c7fc54,ou=user,ou=am-config", "source" : "audit", "timestamp" : "2021-10-13T10:47:38.663Z", "topic" : "config", "trackingIds" : [ "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-821644" ], "transactionId" : "1634122041174-2e50ecbf0df5407a6870-229391/0", "userId" : "id=bd220328-9762-458b-b05a-982ac3c7fc54,ou=user,ou=am-config" }, "timestamp" : "2021-10-13T10:47:38.668823043Z", "type" : "application/json" }, Further information See Config Log Format for information on am_configuration properties. |
|
a |
Debug |
Captures access management debug logs for Identity Cloud. Use am-core when debugging anything in access management without wanting to capture audit events. Development and Sandbox environments provide DEBUG level logs, with logs in several areas tuned to INFO or WARNING to reduce log volumes. In order to reduce log volumes, Staging and Production environments provide WARNING level logs only. For troubleshooting and to view the latest entries in the stored logs, you can tail am-core source, as described here: Tail Logs Example output { "timestamp" : "2021-08-03T08:00:33.099287329Z", "type" : "application/json", "payload" : { "mdc" : { "transactionId" : "eb8fc308-a81a-4567-a106-523cd8c6dec3/18" }, "timestamp" : "2021-08-03T08:00:33.098Z", "transactionId" : "eb8fc308-a81a-4567-a106-523cd8c6dec3/18", "level" : "DEBUG", "thread" : "http-nio-8080-exec-6", "message" : "AuthenticationOperations selected.", "context" : "default", "logger" : "com.iplanet.dpro.session.operations.ServerSessionOperationStrategy" } }, |
| am-everything | Audit, Debug | Captures all access management audit and debug logs for Identity Cloud. This includes all the logs captured in am-access, am-activity, am-authentication, am-config and am-core. |
| idm-access | Audit |
Captures messages for the identity management REST endpoints and the invocation of scheduled tasks. This is the who, what, and output for every identity management access request in Identity Cloud. Audit events
{ "type" : "application/json", "payload" : { "response" : { "status" : "SUCCESSFUL", "elapsedTimeUnits" : "MILLISECONDS", "statusCode" : "200", "elapsedTime" : 3 }, "server" : { "ip" : "198.51.100.0", "port" : 8080 }, "roles" : [ "internal/role/openidm-reg" ], "eventName" : "access", "http" : { "request" : { "path" : "http://idm/openidm/info/ping", "secure" : false, "method" : "GET", "headers" : { "host" : [ "idm" ] } } }, "request" : { "protocol" : "CREST", "operation" : "READ" }, "_id" : "5148ad59-d2fb-4207-a7d2-43f942ba93e7-6841755", "transactionId" : "5148ad59-d2fb-4207-a7d2-43f942ba93e7-6841744", "userId" : "anonymous", "timestamp" : "2021-08-03T08:05:43.617Z", "client" : { "port" : 8080, "ip" : "198.51.100.0" } }, "timestamp" : "2021-08-03T08:05:46.054580251Z" }, Further information See Access Event Topic Properties for information on idm-access event properties. |
| idm-activity | Audit |
Captures operations on internal (managed) and external (system) objects in Identity Cloud. idm-activity logs the changes to identity content, such as adding or updating users, changing passwords, etc. Audit events
Example output { "timestamp" : "2021-08-27T15:14:49.508370169Z", "type" : "application/json", "payload" : { "_id" : "eebf2abb-e4f1-428f-8fbb-8c18ed3f9559-218925", "transactionId" : "1630077288251-f5190abcb8c2d0d42c31-136380/0", "message" : "", "timestamp" : "2021-08-27T15:14:48.43Z", "eventName" : "activity", "userId" : "bd220328-9762-458b-b05a-982ac3c7fc54", "revision" : "00000000478fd92b", "operation" : "PATCH", "changedFields" : [], "runAs" : "bd220328-9762-458b-b05a-982ac3c7fc54", "passwordChanged" : true, "status" : "SUCCESS", "objectId" : "managed/alpha_user/e70c4476-1305-408a-9246-ac76c64ba039" } }, Further information See Activity Event Topic Properties for information on idm-access event properties.
|
| idm-authentication | Audit |
Captures the results when you authenticate to an If there is an existing authentication session in access management, another authentication to identity management is not required as the session is valid for the operation. In this case, you would see authentication logs for am-authentication; for identity management, the logs would be available in idm-access and idm-activity. Audit events
Further information See Authentication Event Topic Properties for information on idm-authentication event properties. |
| idm-config | Audit |
Captures configuration changes to Identity Cloud with a timestamp and by whom. Configuration changes can only be performed in the Development environment, so these logs will be empty in Staging and Production environments. Audit events
Example output { "payload" : { "_id" : "f6a3a7b2-aaf3-426d-a998-a970f84bdf4b-1519486", "changedFields" : [ "/mappings" ], "eventName" : "CONFIG", "objectId" : "sync", "operation" : "UPDATE", "revision" : null, "runAs" : "bd220328-9762-458b-b05a-982ac3c7fc54", "timestamp" : "2021-10-12T16:05:47.217Z", "transactionId" : "1634054726312-2e50ecbf0df5407a6870-202437/0", "userId" : "bd220328-9762-458b-b05a-982ac3c7fc54" }, Further information See Configuration Event Topic Properties for information on idm-configuration event properties. |
| idm-core | Debug |
Captures identity management debug logs for Identity Cloud. Use idm-core when debugging anything in identity management without wanting to capture audit events. Development and Sandbox environments provide FINE level logs, with logs in several areas tuned to INFO, WARNING and SEVERE to reduce log volumes. In order to reduce log volumes, Staging and Production environments include INFO and WARNING level logs only. For troubleshooting and to view the latest entries in the stored logs, you can tail Example output { "type" : "text/plain", "timestamp" : "2021-08-31T01:00:38.083008561Z", "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.config.manage.ConfigObjectService read\n" }, { "payload" : "FINE: Read configuration for service access\n", "timestamp" : "2021-08-31T01:00:38.083020673Z", "type" : "text/plain" }, { "timestamp" : "2021-08-31T01:00:38.083262771Z", "type" : "text/plain", "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.script.scope.FunctionFactory$4 call\n" }, { "payload" : "FINE: Access Check for HTTP request for resource id: info/ping, role: [internal/role/openidm-reg], method: read, action: \n", "timestamp" : "2021-08-31T01:00:38.083276635Z", "type" : "text/plain" }, { "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.script.scope.FunctionFactory$4 call\n", "type" : "text/plain", "timestamp" : "2021-08-31T01:00:38.083586497Z" }, { "payload" : "FINE: Request allowed\n", "timestamp" : "2021-08-31T01:00:38.083612635Z", "type" : "text/plain" }, { "type" : "text/plain", "timestamp" : "2021-08-31T01:00:39.326788471Z", "payload" : "Aug 31, 2021 1:00:39 AM org.forgerock.openidm.internal.InternalObjectSet readInstance\n" }, |
| idm-everything | Audit, Debug | Captures identity management audit and debug logs for Identity Cloud. This includes all the logs captured in idm-access, idm-activity, idm-authentication, idm-config, idm-recon, idm-sync and idm-core. |
| idm-recon | Audit |
Captures identity management reconciliation events for Identity Cloud. The corresponding audit topic for idm-recon is disabled by default in Identity Cloud. You will need to enable the recon event handler for reconciliation events to appear in the audit logs. See Update audit configuration for information on how to enable the recon event handler. Further information See Reconciliation event topic properties for information on idm-recon event properties. |
| idm-sync | Audit |
Captures any changes made to an object resulting in automatic sync (live sync and implicit sync) to occur when you have a repository mapped to Identity Cloud. This includes situations and the actions taken on each object, by account. The idm-activity log contains additional details about each action. Further information See Synchronization Event Topic Properties for information on idm-sync event properties. |
See Also
How do I extend auditing in Identity Cloud to include additional fields?
What environments are available in Identity Cloud and what is the promotion process?