How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure IDM 5.x and 6.x to log synchronization data to the audit log?

Last updated Feb 24, 2021

The purpose of this article is to provide information on configuring IDM to log synchronization data to the audit log. Auditing data received from a source system via reconciliation and LiveSync can be useful for troubleshooting and debugging purposes.


Overview

There have been changes to audit logging in IDM 7; you should refer to the documentation for further information: Audit Guide.

Pre-IDM 7

You can use the script hooks invoked during sync operations to create log or audit entries, for example, onSync. If you specifically want to send output to the audit logs, you can use openidm.create with either the audit/sync or audit/recon resource; if you do this, you must include the transactionId and timestamp fields (they cannot be null). For example, a very basic script would be:

var content = {}; content.message = "Got here!"; content.transactionId= "yourTransactionId"; content.timestamp = "yourTimestamp" openidm.create("audit/sync", null, content);

See Integrator's Guide › Variables Available to Scripts for information on what variables are available for the various scripts.

Outputting sync data to logs

The following example demonstrates how to output sync data to the sync.audit.json file. You should update the onCreate and onUpdate scripts in the mappings from external systems to managed user (or similar) section in the sync.json file (located in the /path/to/idm/conf directory), for example:

            "onCreate" : {                 "type" : "text/javascript",                 "globals" : { },                 "source" : "var content = {};\ncontent.message = \"Create - got here!\";\ncontent.transactionId= \"yourTransactionId\";\ncontent.timestamp = \"yourTimestamp\";\nopenidm.create(\"audit/sync\", null, content);"             },             "onUpdate" : {                 "type" : "text/javascript",                 "globals" : { },                 "source" : "var content = {};\ncontent.message = \"Update - got here!\";\ncontent.transactionId= \"yourTransactionId\";\ncontent.timestamp = \"yourTimestamp\";\nopenidm.create(\"audit/sync\", null, content);"             }

Example output in the sync.audit.json file:{"source":{"objectClass":["top","inetOrgPerson","organizationalPerson","person"],"kbaInfo":[],"employeeType":null,"mail":"jdoe@example.com","aliasList":[],"ldapGroups":[],"description":null,"sn":"doe","givenName":"john","disabled":null,"telephoneNumber":"12344512123123123","uid":"jdoe","cn":"john","dn":"uid=jdoe,ou=People,dc=example,dc=com","_id":"uid=jdoe,ou=People,dc=example,dc=com"},"message":"Update - got here!","transactionId":"yourTransactionId","timestamp":"yourTimestamp","target":{"displayName":"john","description":null,"givenName":"john","mail":"jdoe@example.com","telephoneNumber":"12344512123123123","sn":"doe","userName":"jdoe","ldapGroups":[],"accountStatus":"active","effectiveRoles":[],"effectiveAssignments":[],"_id":"1d91475b-d34a-4703-96a0-478bac1850b4","_rev":"7","lastSync":{"managedUser_systemLdapAccounts":{"effectiveAssignments":[],"timestamp":"2017-09-15T14:39:41.102+01:00"}},"preferences":{"updates":false,"marketing":false},"password":{"$crypto":{"type":"x-simple-encryption","value":{"cipher":"AES/CBC/PKCS5Padding","salt":"UCfiBDHiCjEazOJEecJBGA==","data":"BKR+yuBkg6NwMJCAHdfDMw==","iv":"Tuqiskep3wpbJApmO/6Y/g==","key":"openidm-sym-default","mac":"ANBABUHS+b+0/+63M2wIJA=="}}}},"_id":"105054a4-395c-4cbb-b8d3-2610fb51e3c2-381"}

See Also

How do I monitor LiveSync activity using REST in IDM (All versions)?

How do I query individual reconciliation synchronization failures using REST in IDM (All versions)?

How do I identify reconciliation performance issues in IDM (All versions)?

Troubleshooting IDM

Integrator's Guide › Setting Up Audit Logging

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.