Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Missing entries in the Audit logs after upgrading to, or installing IDM 7.x

Last updated Mar 15, 2023

The purpose of this article is to provide assistance if you find the audit logs for Access, Activity, Authentication, Configuration, Reconciliation and/or Synchronization events do not include all the expected entries in IDM. This may be omissions such as missing "before" and "after" fields in the Activity audit log (activity.audit.json) or missing request headers in the Access audit log (access.audit.json).

Symptoms

After upgrading to, or installing IDM 7.x, you notice the audit logs do not include all the entries you were expecting. If you have upgraded, you will notice differences when comparing the audit log output from an earlier IDM version to the output in IDM 7.x.

Common examples of omissions you might notice are as follows, but this issue can affect any of the audit logs and a variety of entries:

  • The Activity audit log (activity.audit.json) no longer includes the "before" and "after" fields.
  • The Access audit log (access.audit.json) does not output all the headers from a request.

Recent Changes

Upgraded to, or installed IDM 7 or later.

Causes

Changes were made to logging in IDM 7 to safelist audit data. See What's New (IDM 7.0.0 > Audit Logging Safelist) for further information.

The safelist is included in the documentation so you can see which fields are logged by default: Default audit log safelists by event topic. Any fields not listed are excluded by default from the audit log outputs.

Solution

This issue can be resolved by adding any required fields to the includeIf property in the audit.json file (located in the /path/to/idm/conf directory). See Use policies to filter audit data for further information.

Caution

When adding non-safelisted audit event fields, be mindful of the type of information that you intend to expose in the logs. For example, you may need to keep personally identifiable information (PII) out of the logs.

Examples

The following examples demonstrate what you would add to the includeIf property in the audit.json file to include some additional fields in your audit logs.

  • Activity audit log: Include before and after fields for changes to a user's email address or last name:"includeIf": [   "/activity/before/mail",    "/activity/after/mail",    "/activity/before/sn",    "/activity/after/sn"   ]
  • Access audit log: Include the ACCEPT-LANGUAGE header and the HTTP_REQUEST_QUERYPARAMETERS field:"includeIf": [   "/access/http/request/headers/accept-language",    "/access/http/request/queryParameters"   ]

See Also

Use policies to filter audit data

Audit log schema

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.