Product Q&As
ForgeRock Identity Platform
Does not apply to Identity Cloud

Does the ForgeRock Identity Platform include an audit logging service?

Last updated Mar 8, 2022

Yes. The ForgeRock Identity Platform includes a REST-based Audit Logging Service that captures all auditing events critical for system security, troubleshooting, usage analytics and regulatory compliance.


Overview

The ForgeRock Identity Platform includes a REST-based Audit Logging Service that captures auditing events across all platform components. Audit logs gather operational information about events occurring within a deployment to track processes and security data, including authentication mechanisms, system access, user and administrator activity, error messages, and configuration changes. Audit logs are commonly consumed by third-party SIEM and analytics solutions, such as FireEye®, Guardian Analytics®, Logstash and Splunk®.

The Audit Logging Service uses a structured message format that adheres to a consistent and documented log structure common across the platform components. Transaction IDs are used to make it easy to correlate requests as they traverse components of the platform. 

For certain events, there is further granular control over which actions on objects are logged (for example, read, create, update, delete, patch, action, query) along with granular control over the amount of detail (for example, object ID, action, mapping, situation, status or timestamp).

Audit Logging Service features

The Audit Logging Service includes the following features:

  • Audit Event Buffering: A type of batch processing that stores log messages in memory and flushes the buffer after a pre-configured time interval or after a certain number of log messages reaches the configured threshold value.
  • Audit Event Handlers: Allows you to write logs to multiple systems, including JSON, CSV, Syslog, JMS and JDBC handlers.
  • Audit Log Topics: A category of audit log event that has an associated one-to-one mapping to a schema type. See Audit log topics for further details.
  • Blacklisting Sensitive Fields: A type of filtering that allows you to hide sensitive values or fields, such as HTTP headers, query parameters, cookies, or the entire field value.
  • Global and Realm-Based Log Configuration: Allows you to configure audit logging globally or per realm in ForgeRock Access Management (AM).
  • Log Rotation and Retention Policies: A size- or time-based rotation policy. You also have the option to disable log rotation and use an external log rotation tool.
  • REST API: Audit Logs can be easily accessed using a REST API by consuming applications.
  • Reverse DNS Lookup: A reverse DNS lookup feature for network troubleshooting purposes.
  • Tamper-Evident Logging: Allows you to digitally sign your audit logs to ensure no unauthorized tampering of your logs has taken place.

Audit log topics

ForgeRock Access Management (AM) supports the following audit log topics:

  • Access details (includes authorization decisions)
  • System activity
  • Authentication operations
  • Configuration changes

ForgeRock Identity Management (IDM) supports the following audit log topics:

  • Access details
  • System activity
  • Authentication operations
  • Configuration changes
  • Reconciliations
  • Synchronizations (for example, provisioning)

ForgeRock Directory Services (DS) and ForgeRock Identity Gateway (IG) support the access audit log topic. The access topic logs all incoming requests and outgoing responses, and can be filtered by field. In IG, the audit log is configurable per route.

As well as the common audit framework, DS supports a wide range of additional logging and monitoring capabilities, including monitoring over LDAP, SNMP, and JMX. Logging includes access logs, error logs, HTTP access logs, replication logs, and debug logs.

Exposing audit data in external reporting tools

The flexible audit framework architecture features audit handlers that can export data in a format specific to external reporting tools. Built-in audit event handlers include:

  • JSON files
  • CSV files
  • JDBC relational database
  • JMS topics
  • Syslog

IDM also includes a dashboard in which standard third-party reporting widgets can be embedded, such as Kibana or Grafana. 

Extending the audit framework

The audit framework is designed to be extended. For example, a custom node is available on the ForgeRock Marketplace to push specific authentication journey events to Apache Kafka®. Kafka can be used as an audit buffer, to ensure no audit record is lost when the main audit data management platform becomes temporarily unavailable. 

A custom audit handler for Microsoft Azure® Sentinel is also available on the ForgeRock Marketplace. 

See Also

Setting Up Audit Logging

Audit Logging

Audit Guide

Monitoring and Auditing

Does Identity Cloud include an audit logging service?


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.