How To

How do I disable audit logging in IDM 6.5 and 7.x?

Last updated Jan 14, 2021

The purpose of this article is to provide information on disabling audit logging in IDM and the consequences of doing this.

Overview

By default, configuration for the JSON audit event handler and the repository audit event handler are included in the audit.json file (located in the /path/to/idm/conf directory). The JSON audit handler is used for queries by default.

You can disable audit logging in IDM 6.5 and later, if required, but you should be aware that this will impact the ability to troubleshoot issues if they occur. Additionally, you will not be able to query audit data. It is strongly recommended that you configure audit log rotation and retention instead of disabling audit logs. See Audit Guide › Log File Rotation and Log File Retention for further information.

Caution

In older versions of IDM, audit data was queried to view reconciliation result state in the UI, which means this functionality would also stop working if you disabled audit logging and make the UI unstable. As a result, it is strongly advised that you do not disable audit logging in IDM 6 and earlier.

Disabling audit logging

You can disable audit logging using either of the following approaches:

  • Disable each configured audit handler in the audit.json file. You can do this by adding the enabled field set to false for each configured audit handler, for example:         {             "class" : "org.forgerock.audit.handlers.json.JsonAuditEventHandler",             "config" : {                 "name" : "json",                 "enabled": false, ...             }         },
  • Remove all the configured audit handlers from audit.json. The downside to this approach, is you've lost the configurations if you want to re-enable them in the future.

Verifying your changes

You can check that audit logging has been disabled by running the following query, which uses jq on the command line to prettify the result (you can install jq as outlined in Download jq or just exclude | jq . from the command). For example:

  • IDM 7 and later: $ curl -X GET -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" -H "Accept-API-Version: resource=1.0" "http://localhost:8080/openidm/audit/activity?_queryFilter=true" | jq .
  • Pre-IDM 7: $ curl -X GET -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin" "http://localhost:8080/openidm/audit/activity?_queryFilter=true" | jq .

You will get a response similar to the following if audit logging is disabled:

{"code" : 500, "reason" : "Internal Server Error", "message" : "The handler defined for queries, 'json', has not been registered to the audit service, or it is disabled."}

See Also

How do I purge reconciliation audit logs in IDM/OpenIDM (All versions)?

Audit Guide › Purge Obsolete Audit Information

Audit Guide › Query Audit Logs Over REST

Audit Guide

Installation Guide › Format REST Output For Readability

Related Training

N/A

Related Issue Tracker IDs

N/A

Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...