How do I set up the ForgeRock Identity Cloud app for Splunk?
The purpose of this article is to provide the steps for installing, configuring and using the community-supported ForgeRock Identity Cloud app for Splunk®, available on Splunkbase™.
Disclaimer
The ForgeRock Identity Cloud app for Splunk is a community app provided independently from ForgeRock. It is provided on an "as is" basis, without warranty of any kind, to the fullest extent permitted by law.
Overview
Once configured, the ForgeRock Identity Cloud app for Splunk polls the audit REST endpoints (/monitoring/logs) of your Identity Cloud tenants. The default poll interval is 30 seconds and the audit logging sources requested are:
- am-authentication
- am-access
- am-config
- idm-activity
See What logging sources are available in Identity Cloud? for further information on Identity Cloud logging sources.
The ForgeRock Identity Cloud app for Splunk is available for both Splunk Enterprise® and Splunk Cloud Platform™.
Sample dashboard
The sample dashboard provided by the ForgeRock Identity Cloud app displays the following data:
- Logins per day
- Login success per journey
- Journeys per 4 hour period
- Top users
- Top authentication nodes by name
- Top authentication nodes by type
- Identity updates per day
- Account status changes per day
- Activity by country
Prerequisites
- You have one or more working Identity Cloud tenants.
- You have signed up for a Splunk account.
- You have downloaded and installed Splunk Enterprise or have signed up for Splunk Cloud.
Downloading and installing the ForgeRock Identity Cloud app
- In Splunk Enterprise or Splunk Cloud, click the Apps gear icon.
- Click Browse more apps.
- Search for the ForgeRock Identity Cloud app, and then click Install.
- Enter your Splunk.com login username and password, and agree to the terms and conditions.
- Click Agree and Install.
- Once the app has been installed, click Open the App to open the ForgeRock Identity Cloud Dashboard.
Configuring the ForgeRock Identity Cloud app
- In Splunk Enterprise or Splunk Cloud, click ForgeRock (in the App list) to open the ForgeRock Identity Cloud Dashboard.
- Click Inputs on the menu bar.
- Click Create New Input.
- Enter a name and your Identity Cloud tenant URL, for example,
https://<tenant-env-fqdn>, where<tenant-env-fqdn>is your Identity Cloud tenant. - Enter the API Key ID and API Key Secret that you'll use to authenticate to the Identity Cloud REST API endpoints. See Get an API key and secret for further information on creating Identity Cloud API credentials.
- Click Add.
- Ensure the Status is Enabled.
- If required, repeat Steps 3 to 7 to add more tenants.
- Click ForgeRock Identity Cloud Dashboard on the menu bar.
- Under Tenant, choose the name of the tenant to view. Note that the dropdown is populated dynamically when data starts to be ingested, so you may need to wait several minutes before the tenant names are visible. Similarly, the data widgets on the dashboard will only display results once relevant data has been captured. This may take several minutes, depending on the activity of the tenant.
The sample dashboard includes widgets showing examples of how audit logs can be searched, and results categorized and visualized. You can hover your mouse pointer over any widget and click the magnifying glass icon to see the search string and raw data.
Searching audit data
You can view the details of Identity Cloud audit log data by performing searches.
- In Splunk Enterprise or Splunk Cloud, click ForgeRock (in the App list) to open the ForgeRock Identity Cloud Dashboard.
- Click Search on the menu bar.
- Enter your search string and select a timeframe.
- Click the magnifying glass search icon.
See the Search Manual for further information on Splunk's Search app.
Example search
The following search string returns all audit events associated with authentication nodes from the journey called "Login" and for a tenant input called “forgerock”:
source="forgerock" realm="/alpha" eventName="AM-NODE-LOGIN-COMPLETED" entries{}.info.treeName="Login"
The search results will appear similar to this:
Other Example Searches
| Search string | Description |
|---|---|
| source="forgerock" realm="/alpha" | Filters all alpha realm authentication events. |
| source="forgerock" realm="/alpha" eventName="AM-TREE-LOGIN-COMPLETED" | Filters on alpha realm + trees. |
| source="forgerock" realm="/alpha" eventName="AM-TREE-LOGIN-COMPLETED" result="SUCCESSFUL" | Filters on alpha realm + trees where login was successful. |
| source="forgerock" realm="/alpha" eventName="AM-TREE-LOGIN-COMPLETED" result="FAILED" | Filters on alpha realm + trees where login failed. |
| source="forgerock" realm="/alpha" principal{}="wsmith" |
Filters on alpha realm authentication activity where the principal/username is "wsmith". Note that only a subset of wsmith's activity will be captured by this search. So it may be preferable to filter on UUID or trackingId instead. |
| source="forgerock" realm="/alpha" eventName="AM-NODE-LOGIN-COMPLETED" trackingIds{}="22e73c81-708e-4849-b064-db29b68ef943-105372" | Filters on alpha realm + trees for a specific trackingId. |
| source="forgerock" realm="/alpha" eventName="AM-NODE-LOGIN-COMPLETED" | Filters on alpha realm authentication node events. |
| source="forgerock" realm="/alpha" eventName="AM-NODE-LOGIN-COMPLETED" entries{}.info.nodeType="DataStoreDecisionNode" | Filters on alpha realm authentication nodes of type DataStoreDecisionNode. |
| source="forgerock" realm="/alpha" eventName="AM-NODE-LOGIN-COMPLETED" entries{}.info.nodeType="DataStoreDecisionNode" entries{}.info.nodeOutcome="false" | Filters on alpha realm authentication nodes of type DataStoreDecisionNode where the node outcome was "false". |
| source="forgerock" operation="PATCH" objectId="managed/alpha_user/*" changedFields{}="/accountStatus" after.accountStatus="inactive" | Filters on changes to managed/alpha_user objects where the accountStatus field was changed to "inactive" (user was disabled). |
| source="forgerock" eventName="AM-CONFIG-CHANGE" | Filters on Access Management (AM) configuration changes. |
See Also
What logging sources are available in Identity Cloud?