Missing entries in the Audit logs after upgrading to, or installing IDM 7.x
The purpose of this article is to provide assistance if you find the audit logs for Access, Activity, Authentication, Configuration, Reconciliation and/or Synchronization events do not include all the expected entries in IDM. This may be omissions such as missing "before" and "after" fields in the Activity audit log (activity.audit.json) or missing request headers in the Access audit log (access.audit.json).
Symptoms
After upgrading to, or installing IDM 7.x, you notice the audit logs do not include all the entries you were expecting. If you have upgraded, you will notice differences when comparing the audit log output from an earlier IDM version to the output in IDM 7.x.
Common examples of omissions you might notice are as follows, but this issue can affect any of the audit logs and a variety of entries:
- The Activity audit log (activity.audit.json) no longer includes the "before" and "after" fields.
- The Access audit log (access.audit.json) does not output all the headers from a request.
Recent Changes
Upgraded to, or installed IDM 7 or later.
Causes
Changes were made to logging in IDM 7 to safelist audit data. See What's New (IDM 7.0.0 > Audit Logging Safelist) for further information.
The safelist is included in the documentation so you can see which fields are logged by default: Default audit log safelists by event topic. Any fields not listed are excluded by default from the audit log outputs.
Solution
This issue can be resolved by adding any required fields to the includeIf
property in the audit.json file (located in the /path/to/idm/conf directory). See Use policies to filter audit data for further information.
Caution
When adding non-safelisted audit event fields, be mindful of the type of information that you intend to expose in the logs. For example, you may need to keep personally identifiable information (PII) out of the logs.
Examples
The following examples demonstrate what you would add to the includeIf
property in the audit.json file to include some additional fields in your audit logs.
- Activity audit log: Include before and after fields for changes to a user's email address or last name:"includeIf": [ "/activity/before/mail", "/activity/after/mail", "/activity/before/sn", "/activity/after/sn" ]
- Access audit log: Include the ACCEPT-LANGUAGE header and the HTTP_REQUEST_QUERYPARAMETERS field:"includeIf": [ "/access/http/request/headers/accept-language", "/access/http/request/queryParameters" ]
See Also
Use policies to filter audit data
Related Training
N/A
Related Issue Tracker IDs
N/A