Troubleshooting Identity Cloud


Sending troubleshooting data to ForgeRock Support for analysis

The purpose of this article is to provide information on sending troubleshooting and diagnostic data that ForgeRock Support has requested for analysis using ticket attachments.

Sending data for analysis

You can attach troubleshooting and diagnostic data to tickets in BackStage. When using BackStage to access tickets, there are no limits to the attachment size; this is the recommended method of sending us troubleshooting and diagnostic data.

Please make sure you only attach files that are not operating system or software specific. For example, use file types such as .txt, .pdf, .png, .gif or .jpeg.

See Uploading Files for further information on uploading files to BackStage.

See Also

Identity Cloud 

Access Management

Directory Services

Identity Management

Identity Gateway


How do I create a HAR file for troubleshooting Identity Cloud?

The purpose of this article is to provide information on creating a HAR file (HTTP ARchive) for troubleshooting Identity Cloud.

Overview

A HAR file is output by browser developer tools and other browser extensions. It is essentially a recording of interactions between the browser and application in JSON format; it can be very useful for troubleshooting as it can help identify where the issue is occurring. 

Creating a HAR file

You can create a HAR file as follows:

Chrome™ browser

  1. Launch the Developer Tools in Chrome and select the Network tab.
  2. Select the Preserve log option to ensure the entire request is saved, even if you are redirected.
  3. Enter the URL where you have been experiencing issues and re-create the issue. Do not open a new browser tab as Chrome records details on the tab initially shown when the Developer Tools were launched.
  4. Right-click within the Network window and select the Save all as HAR with content option.

Firefox® browser

  1. Launch the Developer Tools in Firefox and select the Network option.
  2. Select the Persist Logs option on the Network tab to ensure the entire request is saved, even if you are redirected.
  3. Enter the URL where you have been experiencing issues and re-create the issue. Do not open a new browser tab as Firefox records details on the tab initially shown when the Developer Tools were launched.
  4. Right-click within the Network window and select the Save All As HAR option.

Microsoft® Edge

  1. Launch the Developer Tools in Microsoft Edge and select the Network tab.
  2. Select the Preserve log option to ensure the entire request is saved, even if you are redirected.
  3. Enter the URL where you have been experiencing issues and re-create the issue. Do not open a new browser tab as Microsoft Edge records details on the tab initially shown when the Developer Tools were launched.
  4. Right-click within the Network window and select the Save all as HAR with content option.

See Also

View Audit Logs


Logging


What logging sources are available in Identity Cloud?

The purpose of this article is to describe the sources available for audit and debug logging in Identity Cloud. These logs can be useful for troubleshooting.

Overview

Identity Cloud provides audit logging to help you to investigate user and system behavior, and debug logging to help you and ForgeRock support staff investigate any issues which may arise in production. 

Logs in Identity Cloud are stored in various sources, allowing you to view just the logs you are interested in. These sources include:  

Note

Identity Cloud stores audit data for 30 days. To keep audit data for longer, you'll need to store it in your own data stores. Currently, you can only gather audit logs by pulling them from the REST API endpoint (/monitoring/logs).

Viewing the logs

To view the logs in Identity Cloud, you'll use the /monitoring/logs API endpoint. You'll need an API key and secret before you can authenticate to this endpoint. See Authenticate to Identity Cloud REST API with API Key and Secret for further information.

You can get a list of available sources by running the following command, replacing the <API-KEY> and <API-SECRET> with your own details, and <tenant-name> with the name of your Identity Cloud tenant:

curl \ --header 'x-api-key: <API-KEY>' \ --header 'x-api-secret: <API-SECRET>' \ 'https://<tenant-name>.forgeblocks.com/monitoring/logs/sources'

The output appears similar to this:

{   "resultCount" : 22,    "pagedResultsCookie" : null,    "remainingPagedResults" : 0,    "result" : [       "am-access",       "am-activity",       "am-authentication",       "am-config",       "am-core",       "am-everything",       "ctsstore",       "ctsstore-access",       "ctsstore-config-audit",       "ctsstore-upgrade",       "idm-access",       "idm-activity",       "idm-authentication",       "idm-config",       "idm-core",       "idm-everything",       "idm-sync",       "userstore",       "userstore-access",       "userstore-config-audit",       "userstore-ldif-importer",       "userstore-upgrade"    ],    "totalPagedResultsPolicy" : "NONE",    "totalPagedResults" : 1

Note

Some of the log sources listed are not used by Identity Cloud and can be ignored. These are: ctsstore, ctsstore-access, ctsstore-config-audit, ctsstore-upgrade, userstore, userstore-access, userstore-ldif-importer, and userstore-upgrade.

Viewing the logs for a source

To view the logs for a source, run the following command, replacing the <API-KEY> and <API-SECRET> with your own details, and <tenant-name> with the name of your Identity Cloud tenant. Replace <SourceName> with the appropriate source from the list above, and add the required begin and end times:

curl --get \ --header 'x-api-key: <API-KEY>' \ --header 'x-api-secret: <API-SECRET>' \ --data 'beginTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --data 'endTime=yyyy-mm-ddThh:mm:ss.ssZ' \ --data 'source=<SourceName>' \ 'https://<tenant-name>.forgeblocks.com/monitoring/logs'

Note

To reduce the size of the output, logging queries are restricted to within a 24-hour period.

Source descriptions

Source Type Description
am-access Audit

Captures all incoming Identity Cloud access calls as audit events. This includes who, what, when, and the output for every access request. 

Audit events

  • AM-ACCESS-ATTEMPT
  • AM-ACCESS-OUTCOME

Example output

{         "payload" : {             "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783933",             "client" : {                "ip" : "198.51.100.0"             },             "component" : "OAuth",             "eventName" : "AM-ACCESS-ATTEMPT",             "http" : {                "request" : {                   "headers" : {                      "content-type" : [                         "application/x-www-form-urlencoded"                      ],                      "host" : [                         "<tenant-name>.forgeblocks.com"                      ],                      "user-agent" : [                         "Apache-HttpClient/4.5.13 (Java/11.0.11)"                      ],                      "x-forwarded-for" : [                         "198.51.100.0, 203.0.113.0, 192.0.2.255"                      ],                      "x-forwarded-proto" : [                         "https"                      ]                   },                   "method" : "POST",                   "path" : "https://<tenant-name>.forgeblocks.com/am/oauth2/realms/root/realms/alpha/access_token",                   "secure" : true                }             },             "level" : "INFO",             "realm" : "/alpha",             "request" : {                "detail" : {                   "client_id" : "RCSClient",                   "grant_type" : "client_credentials",                   "scope" : "fr:idm:*"                }             },             "source" : "audit",             "timestamp" : "2021-10-13T09:20:08.646Z",             "topic" : "access",             "transactionId" : "1634116808645-2e50ecbf0df5407a6870-226587/0"          },          "timestamp" : "2021-10-13T09:20:08.648449536Z",          "type" : "application/json"       },       {          "payload" : {             "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783941",             "client" : {                "ip" : "198.51.100.0"             },             "component" : "OAuth",             "eventName" : "AM-ACCESS-OUTCOME",             "http" : {                "request" : {                   "headers" : {                      "content-type" : [                         "application/x-www-form-urlencoded"                      ],                      "host" : [                         "<tenant-name>.forgeblocks.com"                      ],                      "user-agent" : [                         "Apache-HttpClient/4.5.13 (Java/11.0.11)"                      ],                      "x-forwarded-for" : [                         "198.51.100.0, 203.0.113.0, 192.0.2.255"                      ],                      "x-forwarded-proto" : [                         "https"                      ]                   },                   "method" : "POST",                   "path" : "https://<tenant-name>.forgeblocks.com/am/oauth2/realms/root/realms/alpha/access_token",                   "secure" : true                }             },             "level" : "INFO",             "realm" : "/alpha",             "response" : {                "detail" : {                   "scope" : "fr:idm:*",                   "token_type" : "Bearer"                },                "elapsedTime" : 50,                "elapsedTimeUnits" : "MILLISECONDS",                "status" : "SUCCESSFUL",                "statusCode" : "200"             },             "source" : "audit",             "timestamp" : "2021-10-13T09:20:08.696Z",             "topic" : "access",             "trackingIds" : [                "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783934",                "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-783939"             ],             "transactionId" : "1634116808645-2e50ecbf0df5407a6870-226587/0",             "userId" : "id=RCSClient,ou=agent,o=alpha,ou=services,ou=am-config"          },          "timestamp" : "2021-10-13T09:20:08.696794524Z",          "type" : "application/json"       },

Further information

See Access Log Format for information on am_access properties.

am-activity Audit

Captures state changes to objects that have been created, updated, or deleted by Identity Cloud end-users. This includes session, user profile, and device profile changes.

Audit events

  • AM-SELFSERVICE-REGISTRATION-COMPLETED
  • AM-SELFSERVICE-PASSWORDCHANGE-COMPLETED
  • AM-SESSION-CREATED
  • AM-SESSION-IDLE_TIME_OUT
  • AM-SESSION-MAX_TIMED_OUT
  • AM-SESSION-LOGGED_OUT
  • AM-SESSION-DESTROYED
  • AM-SESSION-PROPERTY_CHANGED
  • AM-IDENTITY-CHANGE
  • AM-GROUP-CHANGE

Example output

{         "timestamp" : "2021-08-25T12:19:15.247547764Z",          "payload" : {             "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195032",             "objectId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195023",             "transactionId" : "cf2a721c-9cec-4224-bdd1-3a33e1f8ed56/4",             "level" : "INFO",             "eventName" : "AM-SESSION-CREATED",             "timestamp" : "2021-08-25T12:19:15.246Z",             "component" : "Session",             "source" : "audit",             "topic" : "activity",             "trackingIds" : [                "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195023"             ],             "realm" : "/",             "userId" : "id=amadmin,ou=user,ou=am-config",             "runAs" : "id=amadmin,ou=user,ou=am-config",             "operation" : "CREATE"          },          "type" : "application/json"       },       {          "type" : "application/json",          "timestamp" : "2021-08-25T12:19:27.761843277Z",          "payload" : {             "transactionId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-1",             "level" : "INFO",             "eventName" : "AM-SESSION-IDLE_TIMED_OUT",             "timestamp" : "2021-08-25T12:19:27.761Z",             "component" : "Session",             "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-195043",             "objectId" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-187839",             "trackingIds" : [                "3fc956b8-00a1-4e10-b8aa-72295d003bfb-65488",                "3fc956b8-00a1-4e10-b8aa-72295d003bfb-187839"             ],             "realm" : "/",             "runAs" : "",             "userId" : "id=amadmin,ou=user,ou=am-config",             "operation" : "DELETE",             "topic" : "activity",             "source" : "audit"          }       },

Further information

See Activity Log Format for information on am_activity properties.

am-authentication Audit

Captures when and how a user is authenticated and related audit events. 

Identity Cloud records an authentication audit event for each authentication node and the journey outcome. A node can provide extra data in the standard audit event, which is logged when an authentication node completes. Identity Cloud logs an AM-NODE-LOGIN-COMPLETED audit event each time an authentication node completes. 

Audit events

  • AM-LOGOUT
  • AM-LOGIN-COMPLETED
  • AM-LOGIN-MODULE-COMPLETED
  • AM-NODE-LOGIN-COMPLETED
  • AM-TREE-LOGIN-COMPLETED

Example output

{        "type" : "application/json",         "timestamp" : "2021-08-25T11:33:32.56492651Z",         "payload" : {            "topic" : "authentication",            "eventName" : "AM-NODE-LOGIN-COMPLETED",            "transactionId" : "ad56bedd-7dab-45d1-84d9-505b0b64fd6d/6",            "principal" : [               "amadmin"            ],            "timestamp" : "2021-08-25T11:33:32.564Z",            "component" : "Authentication",            "source" : "audit",            "realm" : "/",            "entries" : [               {                  "info" : {                     "authLevel" : "0",                     "displayName" : "Page Node",                     "nodeId" : "83a9d86e-d6f5-11ea-87d0-0242ac130003",                     "nodeOutcome" : "outcome",                     "treeName" : "FRLogin",                     "nodeType" : "PageNode"                  }               }            ],            "level" : "INFO",            "trackingIds" : [               "3fc956b8-00a1-4e10-b8aa-72295d003bfb-184020"            ],            "_id" : "3fc956b8-00a1-4e10-b8aa-72295d003bfb-184022"         }      },

Further information

See Authentication Log Format for information on am_authentication properties.

am-config Audit

Captures access management configuration changes for Identity Cloud with a timestamp and by whom. 

Configuration changes can only be performed in the Development environment, so these logs will be empty in Staging and Production environments. When promoting the environment, ForgeRock will provide a promotion report which includes the changes in the config logs for Development that have been made since the last promotion. See Promote Configuration for further information on promoting configuration.

Audit events

  • AM-CONFIG-CHANGE

Example output

{         "payload" : {             "_id" : "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-822860",             "eventName" : "AM-CONFIG-CHANGE",             "level" : "INFO",             "objectId" : "ou=Office365,ou=dashboardApp,ou=default,ou=GlobalConfig,ou=1.0,ou=dashboardService,ou=services,ou=am-config",             "operation" : "CREATE",             "runAs" : "id=bd220328-9762-458b-b05a-982ac3c7fc54,ou=user,ou=am-config",             "source" : "audit",             "timestamp" : "2021-10-13T10:47:38.663Z",             "topic" : "config",             "trackingIds" : [                "92c9b6a4-f36f-438a-b1d4-c6e6bd909da6-821644"             ],             "transactionId" : "1634122041174-2e50ecbf0df5407a6870-229391/0",             "userId" : "id=bd220328-9762-458b-b05a-982ac3c7fc54,ou=user,ou=am-config"          },          "timestamp" : "2021-10-13T10:47:38.668823043Z",          "type" : "application/json"       },

Further information

See Config Log Format for information on am_configuration properties.

am-core Debug

Captures access management debug logs for Identity Cloud. Use am-core when debugging anything in access management without wanting to capture audit events.

In order to reduce log volumes, Staging and Production instances provide WARN level logs only.

For troubleshooting and to view the latest entries in the stored logs, you can tail am-core source, as described here: Tailing Logs

Example output

{         "timestamp" : "2021-08-03T08:00:33.099287329Z",          "type" : "application/json",          "payload" : {             "mdc" : {                "transactionId" : "eb8fc308-a81a-4567-a106-523cd8c6dec3/18"             },             "timestamp" : "2021-08-03T08:00:33.098Z",             "transactionId" : "eb8fc308-a81a-4567-a106-523cd8c6dec3/18",             "level" : "DEBUG",             "thread" : "http-nio-8080-exec-6",             "message" : "AuthenticationOperations selected.",             "context" : "default",             "logger" : "com.iplanet.dpro.session.operations.ServerSessionOperationStrategy"          }       },

am-everything Audit, Debug Captures all access management audit and debug logs for Identity Cloud. This includes all the logs captured in am-access, am-activity, am-authentication, am-config and am-core.
idm-access Audit

Captures messages for the identity management REST endpoints and the invocation of scheduled tasks. This is the who, what, and output for every identity management access request in Identity Cloud.

Audit events

  • access

Example output

{         "type" : "application/json",          "payload" : {             "response" : {                "status" : "SUCCESSFUL",                "elapsedTimeUnits" : "MILLISECONDS",                "statusCode" : "200",                "elapsedTime" : 3             },             "server" : {                "ip" : "198.51.100.0",                "port" : 8080             },             "roles" : [                "internal/role/openidm-reg"             ],             "eventName" : "access",             "http" : {                "request" : {                   "path" : "http://idm/openidm/info/ping",                   "secure" : false,                   "method" : "GET",                   "headers" : {                      "host" : [                         "idm"                      ]                   }                }             },             "request" : {                "protocol" : "CREST",                "operation" : "READ"             },             "_id" : "5148ad59-d2fb-4207-a7d2-43f942ba93e7-6841755",             "transactionId" : "5148ad59-d2fb-4207-a7d2-43f942ba93e7-6841744",             "userId" : "anonymous",             "timestamp" : "2021-08-03T08:05:43.617Z",             "client" : {                "port" : 8080,                "ip" : "198.51.100.0"             }          },          "timestamp" : "2021-08-03T08:05:46.054580251Z"       },

Further information

See Access Event Topic Properties for information on idm-access event properties.

idm-activity Audit

Captures operations on internal (managed) and external (system) objects in Identity Cloud. idm-activity logs the changes to identity content, such as adding or updating users, changing passwords, etc. 

Audit events

  • activity

Example output

{         "timestamp" : "2021-08-27T15:14:49.508370169Z",          "type" : "application/json",          "payload" : {             "_id" : "eebf2abb-e4f1-428f-8fbb-8c18ed3f9559-218925",             "transactionId" : "1630077288251-f5190abcb8c2d0d42c31-136380/0",             "message" : "",             "timestamp" : "2021-08-27T15:14:48.43Z",             "eventName" : "activity",             "userId" : "bd220328-9762-458b-b05a-982ac3c7fc54",             "revision" : "00000000478fd92b",             "operation" : "PATCH",             "changedFields" : [],             "runAs" : "bd220328-9762-458b-b05a-982ac3c7fc54",             "passwordChanged" : true,             "status" : "SUCCESS",             "objectId" : "managed/alpha_user/e70c4476-1305-408a-9246-ac76c64ba039"          }       },

Further information

See Activity Event Topic Properties for information on idm-access event properties. 

See How do I extend auditing in Identity Cloud to include additional fields? to include additional fields for managed object activities.

idm-authentication Audit

Captures the results when you authenticate to an /openidm​ endpoint to complete certain actions on an object. 

If there is an existing authentication session in access management, another authentication to identity management is not required as the session is valid for the operation. In this case, you would see authentication logs for am-authentication; for identity management, the logs would be available in idm-access and idm-activity.

Audit events

  • authentication

Further information

See Authentication Event Topic Properties for information on idm-authentication event properties.

idm-config Audit

Captures configuration changes to Identity Cloud with a timestamp and by whom. 

Configuration changes can only be performed in the Development environment, so these logs will be empty in Staging and Production environments. When promoting the environment, ForgeRock will provide a promotion report which includes the changes in the config logs for Development that have been made since the last promotion. See Promote Configuration for further information on promoting configuration.

Audit events

  • CONFIG

Example output

{        "payload" : {            "_id" : "f6a3a7b2-aaf3-426d-a998-a970f84bdf4b-1519486",            "changedFields" : [               "/mappings"            ],            "eventName" : "CONFIG",            "objectId" : "sync",            "operation" : "UPDATE",            "revision" : null,            "runAs" : "bd220328-9762-458b-b05a-982ac3c7fc54",            "timestamp" : "2021-10-12T16:05:47.217Z",            "transactionId" : "1634054726312-2e50ecbf0df5407a6870-202437/0",            "userId" : "bd220328-9762-458b-b05a-982ac3c7fc54"         },

Further information

See Configuration Event Topic Properties for information on idm-configuration event properties.

idm-core Debug

Captures debug logs for Identity Cloud. Use idm-core when debugging anything in identity management without wanting to capture audit events.

In order to reduce log volumes, Staging and Production instances include INFO and WARNING level logs only.

For troubleshooting and to view the latest entries in the stored logs, you can tail idm-core source, as described here: Tailing Logs

Example output

{         "type" : "text/plain",          "timestamp" : "2021-08-31T01:00:38.083008561Z",          "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.config.manage.ConfigObjectService read\n"       },       {          "payload" : "FINE: Read configuration for service access\n",          "timestamp" : "2021-08-31T01:00:38.083020673Z",          "type" : "text/plain"       },       {          "timestamp" : "2021-08-31T01:00:38.083262771Z",          "type" : "text/plain",          "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.script.scope.FunctionFactory$4 call\n"       },       {          "payload" : "FINE: Access Check for HTTP request for resource id: info/ping, role: [internal/role/openidm-reg], method: read, action: \n",          "timestamp" : "2021-08-31T01:00:38.083276635Z",          "type" : "text/plain"       },       {          "payload" : "Aug 31, 2021 1:00:38 AM org.forgerock.openidm.script.scope.FunctionFactory$4 call\n",          "type" : "text/plain",          "timestamp" : "2021-08-31T01:00:38.083586497Z"       },       {          "payload" : "FINE: Request allowed\n",          "timestamp" : "2021-08-31T01:00:38.083612635Z",          "type" : "text/plain"       },       {          "type" : "text/plain",          "timestamp" : "2021-08-31T01:00:39.326788471Z",          "payload" : "Aug 31, 2021 1:00:39 AM org.forgerock.openidm.internal.InternalObjectSet readInstance\n"       },

idm-everything Audit, Debug Captures identity management audit and debug logs for Identity Cloud. This includes all the logs captured in idm-access, idm-activity, idm-authentication, idm-config and idm-core.
idm-sync Audit

Captures any changes made to an object resulting in automatic sync (live sync and implicit sync) to occur when you have a repository mapped to Identity Cloud. This includes situations and the actions taken on each object, by account. The idm-activity log contains additional details about each action.

Further information

See Synchronization Event Topic Properties for information on idm-sync event properties.

userstore-config-audit  

Captures configuration changes to the identity store, including changes to your tenant's password policy made through the Identity Cloud Admin UI.

Example output

{         "payload" : "replace: ds-cfg-password-history-count\n",          "timestamp" : "2021-10-13T09:19:50.162871555Z",          "type" : "text/plain"       },       {          "payload" : "ds-cfg-password-history-count: 1\n",          "timestamp" : "2021-10-13T09:19:50.162877212Z",          "type" : "text/plain"       },       {          "payload" : "-\n",          "timestamp" : "2021-10-13T09:19:50.162883094Z",          "type" : "text/plain"       },       {          "payload" : "replace: ds-cfg-allow-pre-encoded-passwords\n",          "timestamp" : "2021-10-13T09:19:50.162889023Z",          "type" : "text/plain"       },       {          "payload" : "ds-cfg-allow-pre-encoded-passwords: true\n",          "timestamp" : "2021-10-13T09:19:50.162894647Z",          "type" : "text/plain"       },

See Also

How do I extend auditing in Identity Cloud to include additional fields?

View Audit Logs


How do I extend auditing in Identity Cloud to include additional fields?

The purpose of this article is to provide information on extending Identity Cloud auditing to include additional fields for managed object activities. For example, you might want to include before and after values for changes to a user's email address or last name in your audit logs.

Overview

By default, Identity Cloud provides auditing on the managed object fields that are safe to log. You can include additional fields by adding them to the includeIf property in the audit configuration. For example, you might want to include before and after fields for certain activities, such as changes to a user's email address or last name, in your audit log.

You can only make configuration changes in your Development environment. ForgeRock then promotes configuration from Development to Staging and then to Production. See Understanding Identity Cloud environments and promotion process for further information.

Caution

When adding non-safelisted audit event fields, be mindful of the type of information that you intend to expose in the logs. For example, you may need to keep personally identifiable information (PII) out of the logs.

Adding additional fields to audit logging

Before you can access the audit configuration, you will need an access token to authenticate to the Identity Cloud REST API. See Authenticate to Identity Cloud REST API with Access Token for further information.

Note

It is recommended that you back up your audit configuration before making any changes.

Add the fields to audit logging as follows:

  1. Retrieve the existing audit configuration, for example: $ curl \ --request GET 'https://<tenant-name>.forgeblocks.com/openidm/config/audit' \ --header 'authorization: Bearer <access-token>' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/javascript, */*; q=0.01'

replacing <tenant-name> with your Identity Cloud tenant and <access-token> with the access token you obtained when you authenticated to the Identity Cloud REST API. 

  1. Make a backup of the audit configuration before updating it.
  2. Update the includeIf property (under filterPolicies ) to include the fields you want to add. For example: "includeIf": [   "/activity/before/mail",    "/activity/after/mail"    "/activity/before/sn",    "/activity/after/sn"   ]In this example, you would use the following curl command to update the audit configuration:$ curl --request PUT 'https://<tenant-name>.forgeblocks.com/openidm/config/audit' \ --header 'authorization: Bearer <access-token>' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/javascript, */*; q=0.01' \ --data-raw '{    "_id": "audit",     "auditServiceConfig": {         "handlerForQueries": "json",         "availableAuditEventHandlers": [             "org.forgerock.audit.handlers.csv.CsvAuditEventHandler",             "org.forgerock.audit.handlers.elasticsearch.ElasticsearchAuditEventHandler",             "org.forgerock.audit.handlers.jms.JmsAuditEventHandler",             "org.forgerock.audit.handlers.json.JsonAuditEventHandler",             "org.forgerock.audit.handlers.json.stdout.JsonStdoutAuditEventHandler",             "org.forgerock.openidm.audit.impl.RepositoryAuditEventHandler",             "org.forgerock.openidm.audit.impl.RouterAuditEventHandler",             "org.forgerock.audit.handlers.splunk.SplunkAuditEventHandler",             "org.forgerock.audit.handlers.syslog.SyslogAuditEventHandler"         ],         "filterPolicies": {             "value": {                 "excludeIf": [                     "/access/http/request/cookies/&{com.iplanet.am.cookie.name}",                     "/access/http/request/cookies/session-jwt",                     "/access/http/request/headers/&{com.sun.identity.auth.cookieName}",                     "/access/http/request/headers/&{com.iplanet.am.cookie.name}",                     "/access/http/request/headers/accept-encoding",                     "/access/http/request/headers/accept-language",                     "/access/http/request/headers/Authorization",                     "/access/http/request/headers/cache-control",                     "/access/http/request/headers/connection",                     "/access/http/request/headers/content-length",                     "/access/http/request/headers/content-type",                     "/access/http/request/headers/proxy-authorization",                     "/access/http/request/headers/X-OpenAM-Password",                     "/access/http/request/headers/X-OpenIDM-Password",                     "/access/http/request/queryParameters/access_token",                     "/access/http/request/queryParameters/IDToken1",                     "/access/http/request/queryParameters/id_token_hint",                     "/access/http/request/queryParameters/Login.Token1",                     "/access/http/request/queryParameters/redirect_uri",                     "/access/http/request/queryParameters/requester",                     "/access/http/request/queryParameters/sessionUpgradeSSOTokenId",                     "/access/http/request/queryParameters/tokenId",                     "/access/http/response/headers/Authorization",                     "/access/http/response/headers/Set-Cookie",                     "/access/http/response/headers/X-OpenIDM-Password"                 ],                 "includeIf": [                     "/activity/before/mail",                     "/activity/after/mail"                     "/activity/before/sn",                     "/activity/after/sn"                 ]             }         },         "caseInsensitiveFields": [             "/access/http/request/headers",             "/access/http/response/headers"         ]     },     "eventHandlers": [         {             "class": "org.forgerock.audit.handlers.json.JsonAuditEventHandler",             "config": {                 "name": "json",                 "logDirectory": "&{idm.data.dir}/audit",                 "buffering": {                     "maxSize": 100000,                     "writeInterval": "100 millis"                 },                 "topics": [                     "access",                     "activity",                     "sync",                     "authentication",                     "config"                 ]             }         },         {             "class": "org.forgerock.openidm.audit.impl.RepositoryAuditEventHandler",             "config": {                 "name": "repo",                 "enabled": false,                 "topics": [                     "access",                     "activity",                     "sync",                     "authentication",                     "config"                 ]             }         }     ],     "eventTopics": {         "config": {             "filter": {                 "actions": [                     "create",                     "update",                     "delete",                     "patch",                     "action"                 ]             }         },         "activity": {             "filter": {                 "actions": [                     "create",                     "update",                     "delete",                     "patch",                     "action"                 ]             },             "watchedFields": [],             "passwordFields": [                 "password"             ]         }     },     "exceptionFormatter": {         "type": "text/javascript",         "file": "bin/defaults/script/audit/stacktraceFormatter.js"     } }'replacing <tenant-name> with your Identity Cloud tenant and <access-token> with the access token you obtained when you authenticated to the Identity Cloud REST API.

Audit logs for idm-activity and idm-everything sources now include the fields you have added. For example, the following entry in a sample activity log shows a change to a user's last name (from Brown to Granger) and email address (from jbrown@example.com to jgranger@example.com):

{         "payload" : {             "message" : "",             "runAs" : "bd220328-9762-458b-b05a-982ac3c7fc54",             "transactionId" : "1630683558570-abec9e9304c84ad368ba-28676/0",             "before" : {                "sn" : "Brown",                "mail" : "jbrown@example.com"             },             "operation" : "PATCH",             "passwordChanged" : false,             "_id" : "52f7cea0-285d-4ef6-bda3-83256dda71c5-1300250",             "revision" : "00000000412cae36",             "eventName" : "activity",             "userId" : "bd220328-9762-458b-b05a-982ac3c7fc54",             "status" : "SUCCESS",             "objectId" : "managed/alpha_user/ce7492dc-8759-47b3-b4ee-eda8d4de4ab1",             "timestamp" : "2021-09-03T15:39:42.862Z",             "changedFields" : [],             "after" : {                "sn" : "Granger",                "mail" : "jgranger@example.com"             }          },          "type" : "application/json",          "timestamp" : "2021-09-03T15:39:44.040095219Z"       }

See View Audit Logs for further information on viewing audit logs for Identity Cloud.

Note

Identity Cloud stores audit data for 30 days. To keep audit data for longer, you'll need to store it in your own data stores. Currently, you can only gather audit logs by pulling them from the REST API endpoint (/monitoring/logs).

See Also

What logging sources are available in Identity Cloud?

Use Policies to Filter Audit Data

Promote Configuration


How do I enable debug logging and log rotation for the Remote Connector Server (RCS)?

The purpose of this article is to provide information on enabling debug logging and log rotation for the Java® RCS.

Overview

By default, logging is not enabled for the Java RCS. Additionally, log files are not set to rotate by default, which means they will grow in size indefinitely when logging is enabled.

If you want to enable logging for the RCS, it is strongly recommended that you also configure the log files to rotate as described in this article.

Debug Logging

You can enable debug logging as follows:

  1. Edit the logback.xml file (which is located in the /path/to/openicf/lib/framework/ directory) and uncomment the following section: <logger name="org.identityconnectors.framework.impl.api.LoggingProxy" level="DEBUG" additivity="false">         <appender-ref ref="TRACE-FILE"/>     </logger>
  2. Restart the RCS:$ /path/to/openicf/bin/ConnectorServer.sh /runThe debug logs will be written to the ConnectorServer.log (located in the /path/to/openicf/logs directory).

Rotating Log Files

You can configure the RCS to rotate log files as follows:

  1. Edit the logback.xml file and replace the following section (appender class: ch.qos.logback.core.FileAppender for the ConnectorServer.log file): <appender name="SERVER-FILE" class="ch.qos.logback.core.FileAppender">         <file>logs/ConnectorServer.log</file>         <append>true</append>         <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">             <fileNamePattern>logs/ConnectorServer-%d{yyyyMMdd}.log</fileNamePattern>         </rollingPolicy>         <encoder>             <pattern>%date{"MMM dd, yyyy h:mm:ss a"} %-5level %logger{35}: %msg %n</pattern>         </encoder>     </appender>With this section:<appender name="SERVER-FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">        <file>logs/ConnectorServer.log</file>         <append>true</append>         <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">             <fileNamePattern>logs/ConnectorServer-%d{yyyyMMdd}.log</fileNamePattern>             <!-- keep 30 days of logs capped at 1GB total size -->             <maxHistory>30</maxHistory>             <totalSizeCap>1GB</totalSizeCap>         </rollingPolicy>         <encoder>             <pattern>%date{"MMM dd, yyyy h:mm:ss a"} %-5level %logger{35}: %msg %n</pattern>         </encoder>     </appender>Where:
    • The appender class is changed to ch.qos.logback.core.rolling.RollingFileAppender to rotate the logs.
    • The maxHistory and totalSizeCap properties are added to ensure old logs are removed. This example configures them so that 30 days of logs are kept, capped at 1GB in size, but you can set them as needed for your environment.
  2. Restart the RCS:$ /path/to/openicf/bin/ConnectorServer.sh /run

See Also

RCS in Identity Cloud

Related Issue Tracker IDs

OPENICF-1638 (RCS logback.xml should be configured for rolling log files with max age/size over a single ever growing file by default)


How do I understand the underlying REST call being used in web requests in Identity Cloud or AM (All versions)?

The purpose of this article is to provide information on finding out what is included in REST calls being made in Identity Cloud or AM. This technique can be useful to help you formulate REST calls based on an existing web request or to troubleshoot why a REST call is not working as expected.

Overview

You can use the Developer Tools in your browser to copy a web request as a curl command and replay it on the command line. The resulting curl command includes all the headers, options, and data that was sent for the particular web request you are interested in. You can then use the information and REST syntax as the basis of your own REST calls or for comparison analysis when a request or endpoint is failing. 

See How do I avoid common issues with REST calls in AM (All versions)? for other troubleshooting tips.

Copying to curl

You can copy a web request to curl as follows:

  1. Launch the Developer Tools in your browser and select the Network tab.
  2. Enter the URL that you want to examine web requests for and let it load fully.
  3. Right-click on the required web request on the Network tab , select Copy followed by Copy as cURL.
  4. Paste the resulting curl command into a text file or onto the command line as needed.

These instructions apply to Chrome™, Firefox® and Microsoft® Edge.

Example

Copying the web request for creating a basic authentication tree produces the following curl command:

curl 'http://host1.example.com:8080/openam/json/realms/root/realm-config/authentication/authenticationtrees/trees/sampleTree' \   -X 'PUT' \   -H 'Connection: keep-alive' \   -H 'Pragma: no-cache' \   -H 'Cache-Control: no-cache' \   -H 'accept-api-version: protocol=2.1,resource=1.0' \   -H 'accept: application/json' \   -H 'if-none-match: *' \   -H 'x-requested-with: ForgeRock CREST.js' \   -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36' \   -H 'content-type: application/json' \   -H 'Origin: http://host1.example.com:8080' \   -H 'Referer: http://host1.example.com:8080/openam/ui-admin/' \   -H 'Accept-Language: en-GB,en;q=0.9' \   -H 'Cookie: amlbcookie=01; iPlanetDirectoryPro=ji_S58bZ7iuOeRgdbny74vqJK5Y.*AAJTSQACMDEAAlNLABx5S3h5SHd3Y29HT1BRZGpoaVlkQS9VbERJc2M9AAR0eXBlAANDVFMAAlMxAAA.*' \   --data-binary '{"entryNodeId":"e301438c-0bd0-429c-ab0c-66126501069a","nodes":{},"staticNodes":{}}' \   --compressed \   --insecure

See Also

How do I avoid common issues with REST calls in AM (All versions)?

REST API Explorer

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.

This content has been optimized for printing.