Access Management 7.4.1

Audit logging reference

AM writes log messages generated from audit events triggered by its components, instances, and other ForgeRock-based stack products.

Audit log format

This section presents the audit log format for each topic-based file, event names, and audit constants used in its log messages.

Access log format

Schema property Description

_id

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

eventName

Specifies the name of the audit event. For example, AM-ACCESS-ATTEMPT and AM-ACCESS-OUTCOME. For a list of audit event names, see Audit log events.

transactionId

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID even for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where trusted AM deployment with multiple instances, components, and ForgeRock stack products can propagate the transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

user.id

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingIds

Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. In releases prior to OpenAM 13.0.0, the contextId log property used a random string as an alias for the session ID. The trackingIds property also uses an alias when referring to session IDs, for example, [ "45b17894529cf74301" ].

OpenAM 13.0.0 extended this property to handle OAuth 2.0 tokens. In this case, whenever AM generates an access or grant token, it also generates unique random value and logs it as an alias. In this way, it is possible to trace back an access token back to its originating grant token, trace the grant token back to the session in which it was created, and then trace how the session was authenticated. An example of a trackingIds property in an OAuth 2.0/OpenID Connect 1.0 environment is:

[ "1979edf68543ead001", "8878e51a-f2aa-464f-b1cc-b12fd6daa415", "3df9a5c3-8d1e-4ee3-93d6-b9bbe58163bc" ]
If the cross-upgrade session reference property is enabled, trackingIds will also contain a unique constant session identifier for session creation and upgrade events.

server.ip

Specifies the IP address of the AM server. For example, 127.0.0.1.

server.port

Specifies the port number used by the AM server. For example, 8080.

client.host

Specifies the client hostname. This field is only populated if reverse DNS lookup is enabled.

client.ip

Specifies the client IP address.

client.port

Specifies the client port number.

authorizationId.roles

Specifies the list of roles for the authorized user.

authorizationId.component

Specifies the component part of the authorized ID, such as

request.protocol

Specifies the protocol associated with the request operation. Possible values: CREST and PLL.

request.operation

Specifies the request operation. For Common REST operations, possible values are: READ, ACTION, QUERY.

For PLL operations, possible values are: LoginIndex, SubmitRequirements, GetSession, REQUEST_ADD_POLICY_LISTENER.

request.detail

Specifies the detailed information about the request operation. For example:

  • {"action":"idFromSession"}

  • {"action":"validateGoto"}

  • {"action":"validate"}

  • {"action":"logout"}

  • {"action":"schema"}

  • {"action":"template"}

http.method

Specifies the HTTP method requested by the client. For example, GET, POST, PUT.

http.path

Specifies the path of the HTTP request. For example, https://openam.example.com:8443/openam/json/realms/root/authenticate.

http.queryParameters

Specifies the HTTP query parameter string. For example:

  • { "_action": [ "idFromSession" ] }

  • { "_queryFilter": [ "true" ] }

  • { "_action": [ "validate" ] }

  • { "_action": [ "logout" ] }

  • { "realm": [ "/shop" ] }

  • { "_action": [ "validateGoto" ] }

http.request.headers

Specifies the HTTP header for the request. For example:

{
   "accept":[
      "application/json, text/javascript, */*; q=0.01"
   ],
   "Accept-API-Version":[
      "protocol=1.0"
   ],
   "accept-encoding":[
      "gzip, deflate"
   ],
   "accept-language":[
      "en-US;q=1,en;q=0.9"
   ],
   "cache-control":[
      "no-cache"
   ],
   "connection":[
      "Keep-Alive"
   ],
   "content-length":[
      "0"
   ],
   "host":[
      "forgerock-am.openrock.org"
   ],
   "pragma":[
      "no-cache"
   ],
   "referer":[
      "https://forgerock-am.openrock.org/openam/XUI/"
   ],
   "user-agent":[
      "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
   ],
   "x-nosession":[
      "true"
   ],
   "x-requested-with":[
      "XMLHttpRequest"
   ],
   "x-username":[
      "anonymous"
   ]
}

http.request.cookies

Specifies a JSON map of key-value pairs and appears as its own property to allow for denylisting fields or values.

http.response.cookies

Not used in AM.

response.status

Specifies the response status of the request. For example, SUCCESS, FAILURE, or null.

response.statusCode

Specifies the response status code, depending on the protocol. For Common REST, HTTP failure codes are displayed but not HTTP success codes. For PLL endpoints, PLL error codes are displayed.

response.detail

Specifies the message associated with response.statusCode. For example, the response.statusCode of 401 has a response.detail of { "reason": "Unauthorized" }.

response.elapsedTime

Specifies the time to execute the access event, usually in millisecond precision.

response.elapsedTimeUnits

Specifies the elapsed time units of the response. For example, MILLISECONDS.

component

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth, Web Policy Agent, or Java Policy Agent.

realm

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/“) or the sub-realm name (”/shop").

Activity log format

Property Description

_id

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-487.

timestamp

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.652Z

eventName

Specifies the name of the audit event. For example, AM-SESSION_CREATED, AM-SESSION-LOGGED_OUT, AM-IDENTITY-CHANGE. For a list of audit event names, see Audit log events.

transactionId

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for same even for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

user.id

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingIds

Specifies an array containing a random context ID that identifies the session and a random string generated from an OAuth 2.0/OpenID Connect 1.0 flow that could track an access token ID or an grant token ID. For example, [ "45b17894529cf74301" ].

If the cross-upgrade session reference property is enabled, trackingIds will also contain a unique constant session identifier for session creation and upgrade events.

runAs

Specifies the user to run the activity as. May be used in delegated administration. For example, id=dsameuser,ou=user,dc=example,dc=com.

objectId

Specifies the identifier of an object that has been created, updated, or deleted. For logging sessions, the session trackingId is used in this field. For example, [ "45b17894529cf74301" ]

operation

Specifies the state change operation invoked: CREATE, MODIFY, or DELETE.

before

Not used.

after

Not used.

changedFields

Not used.

revision

Not used.

component

Specifies the AM service utilized. For example, Session or Self-Service.

realm

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/“) or the sub-realm name (”/shop").

Authentication log format

Property Description

_id

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-485.

timestamp

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.640Z

eventName

Specifies the name of the audit event. For example, AM-LOGOUT and AM-LOGIN-MODULE-COMPLETED. For a list of audit event names, see Audit log events.

transactionId

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID even for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

user.id

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingIds

Specifies an array containing a unique random context ID. For example:

  • For OAuth 2.0/OpenID Connect flows, it identifies the session and a random string generated that can track an access token ID or a grant token ID.

  • For authentication trees, it identifies an authentication tree flow.

If the cross-upgrade session reference property is enabled, trackingIds will also contain a unique constant session identifier for session creation and upgrade events.

result

Depending on the event being logged, specifies the outcome of:

  • A single authentication module within a chain

  • The result for an authentication tree

Possible values are SUCCESSFUL or FAILED.

principal

Specifies the array of accounts used to authenticate, such as [ "amadmin" ] and [ "scarter" ].

context

Not used

entries

Specifies the JSON representation of the details of an authentication module, chain, tree or node. AM creates an event as each module or node completes and a final event at the end of the chain or tree. Examples:

{
   "entries":[
      {
         "moduleId":"DataStore",
         "info":{
            "moduleClass":"DataStore",
            "ipAddress":"127.0.0.1",
            "moduleName":"DataStore",
            "authLevel":"0"
         }
      }
   ]
}
{
  "entries":[
      {
         "info":{
            "nodeOutcome":"true",
            "treeName":"Example",
            "displayName":"Data Store Decision",
            "nodeType":"DataStoreDecisionNode",
            "nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
            "authLevel":"0"
         }
      }
   ]
}

component

Specifies the AM service utilized. For example, Authentication.

realm

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/“) or the sub-realm name (”/shop").

Config log format

Property Description

_id

Specifies a universally unique identifier (UUID) for the message object. For example, 6a568d4fe-d655-49a8-8290-bfc02095bec9-843.

timestamp

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example, 2015-11-14T00:21:03.490Z

eventName

Specifies the name of the audit event. For example, AM-CONFIG-CHANGE. For a list of audit event names, see Audit log events.

transactionId

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 301d1a6e-67f9-4e45-bfeb-5e4047a8b432.

user.id

Not used.

You can determine the value for this field by linking to the access event using the same transactionId.

trackingIds

Not used.

runAs

Specifies the user to run the activity as. May be used in delegated administration. For example, uid=amAdmin,ou=People,dc=example,dc=com.

objectId

Specifies the identifier of a system object that has been created, modified, or deleted. For example, ou=SamuelTwo,ou=default,ou=OrganizationConfig,ou=1.0, ou=iPlanetAMAuthSAML2Service,ou=services,o=shop,ou=services,dc=example,dc=com.

operation

Specifies the state change operation invoked: CREATE, MODIFY, or DELETE.

before

Specifies the JSON representation of the object prior to the activity. For example:

{
   "sunsmspriority":[
      "0"
   ],
   "objectclass":[
      "top",
      "sunServiceComponent",
      "organizationalUnit"
   ],
   "ou":[
      "SamuelTwo"
   ],
   "sunserviceID":[
      "serverconfig"
   ]
}

after

Specifies the JSON representation of the object after the activity. For example:

{
 "sunKeyValue":[
      "forgerock-am-auth-saml2-auth-level=0",
      "forgerock-am-auth-saml2-meta-alias=/sp",
      "forgerock-am-auth-saml2-entity-name=http://",
      "forgerock-am-auth-saml2-authn-context-decl-ref=",
      "forgerock-am-auth-saml2-force-authn=none",
      "forgerock-am-auth-saml2-is-passive=none",
      "forgerock-am-auth-saml2-login-chain=",
      "forgerock-am-auth-saml2-auth-comparison=none",
      "forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
      "forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
      "forgerock-am-auth-saml2-authn-context-class-ref=",
      "forgerock-am-auth-saml2-slo-relay=http://",
      "forgerock-am-auth-saml2-allow-create=false",
      "forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
   ]
}

changedFields

Specifies the fields that were changed. For example, [ "sunKeyValue" ].

revision

Not used.

component

Not used.

realm

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/“) or the sub-realm name (”/shop").

Audit log events

This table summarizes the predefined events for each topic:

Topic Event name Event description

access

AM-ACCESS_ATTEMPT

When AM starts handling an HTTP request.

access

AM-ACCESS-OUTCOME

When AM finishes handling an HTTP request.

activity

AM-BACK-CHANNEL-LOGOUT

Event for an OIDC back-channel logout.

activity

AM-CONNECTION-FACTORY-CLOSED

Event for closing a connection factory.

activity

AM-CONNECTION-UPDATE

Event for a state change for the connection factory, such as when configuration changes lead to an attempt to reconnect.

activity

AM-GROUP-CHANGE

When a group is changed.

activity

AM-IDENTITY-CHANGE

When an identity is updated, such as a change to an attribute.

activity

AM-KEY-MANAGER-RELOAD-NOTIFICATION

A Key Manager reload event.

activity

AM-LOGOUT-USER-TOKEN

When a user is logged out by their username (client-side sessions only).

activity

AM-NEW-CONNECTION-FACTORY

Event for creating a new connection factory.

activity

AM-SELFSERVICE-REGISTRATION-COMPLETED

When the self-service registration process is complete.

activity

AM-SELFSERVICE-PASSWORDCHANGE-COMPLETED

When the self-service password reset process is complete.

activity

AM-SESSION-CREATED

When an SSO session is created.

activity

AM-SESSION-DESTROYED

When an SSO session is destroyed.

activity

AM-SESSION-IDLE_TIMED_OUT

When an SSO session has been inactive for longer than configured idle timeout duration.

activity

AM-SESSION-LOGGED_OUT

Event for the explicit logout of an SSO session.

activity

AM-SESSION-MAX_TIMED_OUT

When an SSO session exceeds the maximum configured lifetime.

activity

AM-SESSION-PROPERTY_CHANGED

When an SSO session property changes.

activity

AM-TOKEN-EXCHANGE

Event for an OAuth 2.0 token exchange.

authentication

AM-LOGIN-COMPLETED

Event for the successful or failed completion of an authentication chain login.

authentication

AM-LOGIN-MODULE-COMPLETED

Event for the successful or failed completion of an authentication module login.

authentication

AM-LOGOUT

Event for an authentication process logout.

authentication

AM-NODE-LOGIN-COMPLETED

Event for the successful or failed completion of an authentication node login.

authentication

AM-TREE-LOGIN-COMPLETED

Event for the successful or failed completion of an authentication tree login.

config

AM-BOOT-JSON-UPDATED

When the boot.json file is updated.

config

AM-CONFIG-CHANGE

When the AM configuration is updated.

Audit log components

This table lists the predefined audit event components that make up log messages:

Event component AM component, service, or feature

AM agents

Web and Java agents

Audit

Auditing service

Authentication

Authentication service

Batch

Batch service

Boot Json

Boot.json component

Config

Configuration

CORS

CORS preflight component

CTS

Core Token Service

Dashboard

Dashboard service

Devices

Trusted devices

Documentation

API documentation component

Groups

Groups component

ID Repo

ID Repo event component

jato

Jato audit event component

Monitoring

Monitoring

Oath

Mobile authentication

OAuth

OAuth 2.0, OpenID Connect 1.0, and UMA

Policy

Policies

Push

Push Notification service

Radius

RADIUS server

Realms

Realms and sub-realms

Record

Recording service

SAML2

SAML v2.0

Script

Scripting service

Self-Service

User Self-Service service

Secrets

Secrets component

Service Config Cache

Service Config Cache audit event component

Server Info

Server information service

Session

Session service

ssoadm

ssoadm command

STS

Secure Token Service: REST and SOAP

Things

Internet of Things component

Users

Users component

Audit log failure reasons

The following predefined authentication failure reasons are written to the audit log.

These failure reasons are audited only for authentication using modules and chains, not for authentication using trees.
Failure Description

ACCOUNT_EXPIRED

User account has expired.

AUTH_TYPE_DENIED

Authentication type is denied.

INVALID_LEVEL

Level-based authentication: Invalid authentication level.

INVALID_PASSWORD

Invalid credentials entered.

INVALID_REALM

Realm does not exist.

LOCKED_OUT

Maximum number of failure attempts exceeded. User is locked out.

LOGIN_FAILED

Incorrect/invalid credentials presented.

LOGIN_TIMEOUT

Login timed out.

MAX_SESSION_REACHED

Limit for maximum number of allowed sessions has been reached.

MODULE_DENIED

Authentication module is denied.

NO_CONFIG

Authentication chain does not exist.

NO_USER_PROFILE

No user profile found for this user.

REALM_INACTIVE

Realm is not active.

SESSION_CREATE_ERROR

Cannot create a session.

USER_INACTIVE

User is not active.

USER_NOT_FOUND

Role-based authentication: user does not belong to this role.

USERID_NOT_FOUND

The user ID was not found.

Audit log fields

The following tables list all the available fields that you can use to filter audit logs. The log fields are listed in JSON notation.

Some fields may contain sensitive information and are not suitable for recording in audit logs. By default, AM has a preconfigured allowlist that defines which object fields can be logged.

The table indicates which fields appear on the default allowlist. If an allowlisted field contains an object, then listing the field means the whole object is allowlisted.

Access log fields

Field Allowlisted by default

/access/_id

Yes

/access/client/ip

Yes

/access/client/port

Yes

/access/access/component

/access/eventName

Yes

/access/http/request/cookies/Domain

/access/http/request/cookies/Expires

/access/http/request/cookies/HttpOnly

/access/http/request/cookies/JSESSIONID

/access/http/request/cookies/Max-Age

/access/http/request/cookies/NTID

/access/http/request/cookies/OAUTH_REQUEST_ATTRIBUTES

/access/http/request/cookies/ORIG_URL

/access/http/request/cookies/Path

/access/http/request/cookies/amlbcookie

/access/http/request/cookies/authId

/access/http/request/cookies/iPlanetDirectoryPro

/access/http/request/headers/accept

Yes

/access/http/request/headers/accept-api-version

Yes

/access/http/request/headers/accept-encoding

/access/http/request/headers/accept-language

/access/http/request/headers/authorization

/access/http/request/headers/cache-control

/access/http/request/headers/connection

/access/http/request/headers/content-length

/access/http/request/headers/content-type

Yes

/access/http/request/headers/host

Yes

/access/http/request/headers/if-match

/access/http/request/headers/if-none-match

/access/http/request/headers/iplanetdirectorypro

/access/http/request/headers/oidc_id_token

/access/http/request/headers/origin

/access/http/request/headers/referer

/access/http/request/headers/upgrade-insecure-requests

/access/http/request/headers/user-agent

Yes

/access/http/request/headers/user

/access/http/request/headers/x-forgerock-transactionid

/access/http/request/headers/x-forwarded-for

Yes

/access/http/request/headers/x-forwarded-host

Yes

/access/http/request/headers/x-forwarded-port

Yes

/access/http/request/headers/x-forwarded-proto

Yes

/access/http/request/headers/x-nosession

/access/http/request/headers/x-openam-password

/access/http/request/headers/x-openam-username

/access/http/request/headers/x-original-uri

Yes

/access/http/request/headers/x-password

/access/http/request/headers/x-real-ip

Yes

/access/http/request/headers/x-request-id

Yes

/access/http/request/headers/x-requested-with

Yes

/access/http/request/headers/x-scheme

Yes

/access/http/request/headers/x-username

/access/http/request/method

Yes

/access/http/request/path

Yes

/access/http/request/queryParameters/ForceAuth

/access/http/request/queryParameters/_action

/access/http/request/queryParameters/_fields

/access/http/request/queryParameters/_pageSize

/access/http/request/queryParameters/_queryFilter

/access/http/request/queryParameters/_queryId

/access/http/request/queryParameters/access_token

/access/http/request/queryParameters/acr

/access/http/request/queryParameters/agent_realm

/access/http/request/queryParameters/assertion

/access/http/request/queryParameters/authIndexType

Yes

/access/http/request/queryParameters/authIndexValue

Yes

/access/http/request/queryParameters/auth_chain

/access/http/request/queryParameters/client_id

/access/http/request/queryParameters/client_secret

/access/http/request/queryParameters/cnf_key

/access/http/request/queryParameters/code

/access/http/request/queryParameters/code_challenge

/access/http/request/queryParameters/code_challenge_method

/access/http/request/queryParameters/code_verifier

/access/http/request/queryParameters/composite_advice

Yes

/access/http/request/queryParameters/csrf

/access/http/request/queryParameters/decision

/access/http/request/queryParameters/device_code

/access/http/request/queryParameters/forUI

/access/http/request/queryParameters/goto

/access/http/request/queryParameters/grant_type

/access/http/request/queryParameters/id_token

/access/http/request/queryParameters/iss

/access/http/request/queryParameters/level

Yes

/access/http/request/queryParameters/module

/access/http/request/queryParameters/module_instance

Yes

/access/http/request/queryParameters/nonce

/access/http/request/queryParameters/oauth_token

/access/http/request/queryParameters/oauth_verifier

/access/http/request/queryParameters/password

/access/http/request/queryParameters/prompt

/access/http/request/queryParameters/realm

/access/http/request/queryParameters/redirect_uri

/access/http/request/queryParameters/refresh_token

/access/http/request/queryParameters/rel

/access/http/request/queryParameters/request

/access/http/request/queryParameters/resource

Yes

/access/http/request/queryParameters/response_type

/access/http/request/queryParameters/role

Yes

/access/http/request/queryParameters/save_consent

/access/http/request/queryParameters/scope

/access/http/request/queryParameters/service

Yes

/access/http/request/queryParameters/sessionUpgradeSSOTokenId

/access/http/request/queryParameters/state

/access/http/request/queryParameters/token

/access/http/request/queryParameters/user

Yes

/access/http/request/queryParameters/user_code

/access/http/request/queryParameters/username

/access/http/request/secure

Yes

/access/realm

/access/request/detail/action

Yes

/access/request/operation

Yes

/access/request/protocol

Yes

/access/response/detail/active

Yes

/access/response/detail/application_type

Yes

/access/response/detail/client_id

Yes

/access/response/detail/objectId

Yes

/access/response/detail/reason

Yes

/access/response/detail/redirect_uris

Yes

/access/response/detail/revision

Yes

/access/response/detail/scope

Yes

/access/response/detail/scope

Yes

/access/response/detail/token_type

Yes

/access/response/detail/username

Yes

/access/response/elapsedTime

Yes

/access/response/elapsedTimeUnits

Yes

/access/response/status

Yes

/access/response/statusCode

Yes

/access/server/ip

Yes

/access/server/port

Yes

/access/timestamp

Yes

/access/trackingIds

Yes

/access/transactionId

Yes

/access/userId

Yes

Activity log fields

Field Allowlisted by default

/activity/_id

Yes

/activity/after/_id

/activity/after/_username

/activity/after/assignedDashboard

Yes

/activity/after/cn

Yes

/activity/after/commonName

Yes

/activity/after/createTimestamp

/activity/after/dn

/activity/after/givenName

Yes

/activity/after/inetUserStatus

Yes

/activity/after/iplanet-am-session-max-caching-time

/activity/after/iplanet-am-session-max-idle-time

/activity/after/iplanet-am-session-max-session-time

/activity/after/iplanet-am-session-quota-limit

/activity/after/iplanet-am-user-alias-list

Yes

/activity/after/iplanet-am-user-login-status

Yes

/activity/after/kbaInfo

/activity/after/kbaInfoAttempts

Yes

/activity/after/lastEmailSent

/activity/after/mail

/activity/after/memberof

Yes

/activity/after/modifyTimestamp

/activity/after/o

Yes

/activity/after/oath2faEnabled

Yes

/activity/after/oathDeviceProfiles

/activity/after/objectClass

Yes

/activity/after/organizationName

Yes

/activity/after/organizationUnitName

Yes

/activity/after/ou

Yes

/activity/after/push2faEnabled

Yes

/activity/after/pushDeviceProfiles

/activity/after/sn

Yes

/activity/after/sunAMAuthInvalidAttemptsData

Yes

/activity/after/surname

Yes

/activity/after/uid

Yes

/activity/after/uniqueMember

Yes

/activity/after/userid

Yes

/activity/after/userPassword

/activity/after/webauthnDeviceProfiles

/activity/before/assignedDashboard

Yes

/activity/before/cn

Yes

/activity/before/commonName

Yes

/activity/before/givenName

Yes

/activity/before/inetUserStatus

Yes

/activity/before/iplanet-am-session-max-caching-time

/activity/before/iplanet-am-session-max-idle-time

/activity/before/iplanet-am-session-max-session-time

/activity/before/iplanet-am-session-quota-limit

/activity/before/iplanet-am-user-alias-list

Yes

/activity/before/iplanet-am-user-login-status

Yes

/activity/before/kbaInfo

/activity/before/kbaInfoAttempts

Yes

/activity/before/lastEmailSent

/activity/before/memberof

Yes

/activity/before/modifyTimestamp

/activity/before/o

Yes

/activity/before/oath2faEnabled

Yes

/activity/before/objectClass

Yes

/activity/before/organizationName

Yes

/activity/before/organizationUnitName

Yes

/activity/before/ou

Yes

/activity/before/push2faEnabled

Yes

/activity/before/sn

Yes

/activity/before/sunAMAuthInvalidAttemptsData

Yes

/activity/before/surname

Yes

/activity/before/uid

Yes

/activity/before/uniqueMember

Yes

/activity/before/userid

Yes

/activity/before/userPassword

/activity/changedFields

Yes

/activity/component

Yes

/activity/eventName

Yes

/activity/objectId

Yes

/activity/operation

Yes

/activity/realm

Yes

/activity/revision

Yes

/activity/runAs

Yes

/activity/timestamp

Yes

/activity/trackingIds

Yes

/activity/transactionId

Yes

/activity/userId

Yes

Authentication log fields

Field Allowlisted by default

/authentication/

Yes

Config log fields

Field Allowlisted by default

/config/_id

Yes

/config/after/modifytimestamp

/config/after/objectclass

/config/after/ou

/config/after/sunKeyValue

/config/after/sunserviceID

/config/after/sunsmspriority

/config/after/sunxmlKeyValue

/config/before/modifytimestamp

/config/before/objectclass

/config/before/ou

/config/before/sunKeyValue

/config/before/sunserviceID

/config/before/sunsmspriority

/config/before/sunxmlKeyValue

/config/changedFields

Yes

/config/component

Yes

/config/eventName

Yes

/config/objectId

Yes

/config/operation

Yes

/config/realm

Yes

/config/revision

Yes

/config/runAs

Yes

/config/timestamp

Yes

/config/trackingIds

Yes

/config/transactionId

Yes

/config/userId

JDBC audit log tables

AM writes audit events to relational databases using the JDBC audit event handler. This section presents the columns for each audit table.

am_auditaccess

Column Datatype Description

id

VARCHAR(56) NOT NULL

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_

VARCHAR(29) NULL

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

transactionid

VARCHAR(255) NULL

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventname

VARCHAR(255)

Specifies the name of the audit event. For example, AM-ACCESS-ATTEMPT and AM-ACCESS-OUTCOME. For a list of audit event names, see Audit log events.

userid

VARCHAR(255) NULL

Specifies the universal identifier for the authenticated user. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingids

MEDIUMTEXT

Specifies the tracking IDs of the event, used by all topics.

server_ip

VARCHAR(40)

Specifies the IP address of the AM server.

server_port

VARCHAR(5)

Specifies the port number used by the AM server. For example, 8080.

client_host

VARCHAR(255)

Specifies the client hostname. This column is only populated if reverse DNS lookup is enabled.

client_ip

VARCHAR(40)

Specifies the client IP address.

client_port

VARCHAR(5)

Specifies the client port number.

request_protocol

VARCHAR(255) NULL

Specifies the protocol associated with the request operation. Possible values: CREST and PLL.

request_operation

VARCHAR(255) NULL

Specifies the request operation.

For Common REST operations, possible values: READ, ACTION, QUERY.

For PLL operations, possible values: LoginIndex, SubmitRequirements, GetSession, REQUEST_ADD_POLICY_LISTENER.

request_detail

TEXT NULL

Specifies the detailed information about the request operation. For example:

  • {"action":"idFromSession"}

  • {"action":"validateGoto"}

  • {"action":"validate"}

  • {"action":"logout"}

  • {"action":"schema"}

  • {"action":"template"}

http_request_secure

BOOLEAN NULL

Specifies the HTTP method requested by the client. For example, trueT or false. Note that false does not mean the client connection is insecure as there may be a reverse proxy terminating the HTTPS connection.

http_request_method

VARCHAR(7) NULL

Specifies the HTTP method requested by the client. For example, GET, POST, PUT.

http_request_path

VARCHAR(255) NULL

Specifies the path of the HTTP request. For example, https://openam.example.com:8443/openam/json/realms/root/authenticate.

http_request_queryparameters

MEDIUMTEXT NULL

Specifies the HTTP query parameter string. For example:

  • { "_action": [ "idFromSession" ] }

  • { "_queryFilter": [ "true" ] }

  • { "_action": [ "validate" ] }

  • { "_action": [ "logout" ] }

  • { "realm": [ "/shop" ] }

  • { "_action": [ "validateGoto" ] }

http_request_headers

MEDIUMTEXT NULL

Specifies the HTTP headers for the request. For example:

{
   "accept":[
      "application/json, text/javascript, */*; q=0.01"
   ],
   "Accept-API-Version":[
      "protocol=1.0"
   ],
   "accept-encoding":[
      "gzip, deflate"
   ],
   "accept-language":[
      "en-US;q=1,en;q=0.9"
   ],
   "cache-control":[
      "no-cache"
   ],
   "connection":[
      "Keep-Alive"
   ],
   "content-length":[
      "0"
   ],
   "host":[
      "forgerock-am.openrock.org"
   ],
   "pragma":[
      "no-cache"
   ],
   "referer":[
      "https://forgerock-am.openrock.org/openam/XUI/"
   ],
   "user-agent":[
      "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
   ],
   "x-nosession":[
      "true"
   ],
   "x-requested-with":[
      "XMLHttpRequest"
   ],
   "x-username":[
      "anonymous"
   ]
}

http_request_cookies

MEDIUMTEXT NULL

Specifies a JSON map of key-value pairs and appears as its own property to allow for blacklisting fields or values. For example:

"cookies": "amlbcookie=01;
iPlanetDirectoryPro=\"AQIC5wM2LY....*AAJTSQACMfwT...*\";
iPlanetDirectoryPro=eyJ0eXAiOiJK....eyJzdWIiOiJkZ..."

Note: line feeds and truncated values in the example are for readability purposes.

http_response_headers

MEDIUMTEXT NULL

Captures the headers returned by AM to the client (that is, the inverse of http_request_headers). Note that AM does not currently populate this field.

response_status

VARCHAR(10) NULL

Specifies the response status of the request. For example, SUCCESS, FAILURE, ALLOWED, DENIED, or NULL.

response_statuscode

VARCHAR(255) NULL

Specifies the response status code, depending on the protocol.

For Common REST, HTTP failure codes are displayed but not HTTP success codes.

For PLL endpoints, PLL error codes are displayed.

response_detail

TEXT NULL

Specifies the message associated with the response status code. For example, a response status code of 401 has a response detail of { "reason": "Unauthorized" }.

response_elapsedtime

VARCHAR(255) NULL

Specifies the time to execute the access event, usually in millisecond precision.

response_elapsedtimeunits

VARCHAR(255) NULL

Specifies the elapsed time units of the response. For example, MILLISECONDS.

component

VARCHAR(255) NULL

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realm

VARCHAR(255) NULL

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/“) or the sub-realm name (”/shop").

am_auditauthentication

Column Datatype Description

id

VARCHAR(56) NOT NULL

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_

VARCHAR(29) NULL

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

transactionid

VARCHAR(255) NULL

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventname

VARCHAR(255) NULL

Specifies the name of the audit event. For example, ` AM-LOGIN-MODULE-COMPLETED` and AM-LOGOUT. For a list of audit event names, see Audit log events.

userid

VARCHAR(255) NULL

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingids

MEDIUMTEXT

Specifies the tracking IDs of the event, used by all topics.

result

VARCHAR(255) NULL

Depending on the event being logged, specifies the outcome of:

  • A single authentication module within a chain

  • The result for an authentication tree

Possible values are SUCCESSFUL or FAILED.

principals

MEDIUMTEXT

Specifies the array of accounts used to authenticate, such as [ "amadmin" ] and [ "scarter" ].

context

MEDIUMTEXT

Not used.

entries

MEDIUMTEXT

Specifies the JSON representation of the details of an authentication module, chain, tree or node. AM creates an event as each module or node completes and a final event at the end of the chain or tree. For example:

{
   "entries":[
      {
         "moduleId":"DataStore",
         "info":{
            "moduleClass":"DataStore",
            "ipAddress":"127.0.0.1",
            "moduleName":"DataStore",
            "authLevel":"0"
         }
      }
   ]
}
{
  "entries":[
      {
         "info":{
            "nodeOutcome":"true",
            "treeName":"Example",
            "displayName":"Data Store Decision",
            "nodeType":"DataStoreDecisionNode",
            "nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
            "authLevel":"0"
         }
      }
   ]
}

component

VARCHAR(255) NULL

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realm

VARCHAR(255) NULL

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/“) or the sub-realm name (”/shop").

am_auditactivity

Column Datatype Description

id

VARCHAR(56) NOT NULL

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_

VARCHAR(29) NOT NULL

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

transactionid

VARCHAR(255) NULL

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventname

VARCHAR(255) NULL

Specifies the name of the audit event. For example, AM-SESSION-CREATED and AM-SESSION-DESTROYED. For a list of audit event names, see Audit log events.

userid

VARCHAR(255) NULL

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingids

MEDIUMTEXT

Specifies the tracking IDs of the event, used by all topics.

runas

VARCHAR(255) NULL

Specifies the user to run the activity as. May be used in delegated administration. For example, uid=amAdmin,ou=People,dc=example,dc=com.

objectid

VARCHAR(255) NULL

Specifies the identifier of a system object that has been created, modified, or deleted. For example, ou=SamuelTwo,ou=default,ou=OrganizationConfig,ou=1.0, ou=iPlanetAMAuthSAML2Service,ou=services,o=shop,ou=services,dc=example,dc=com.

operation

VARCHAR(255) NULL

Specifies the state change operation invoked: CREATE, MODIFY, or DELETE.

beforeObject

MEDIUMTEXT NULL

Specifies the JSON representation of the object prior to the activity. For example:

{
   "sunsmspriority":[
      "0"
   ],
   "objectclass":[
      "top",
      "sunServiceComponent",
      "organizationalUnit"
   ],
   "ou":[
      "SamuelTwo"
   ],
   "sunserviceID":[
      "serverconfig"
   ]
}

afterObject

MEDIUMTEXT NULL

Specifies the JSON representation of the object after the activity. For example:

{
  "sunKeyValue":[
      "forgerock-am-auth-saml2-auth-level=0",
      "forgerock-am-auth-saml2-meta-alias=/sp",
      "forgerock-am-auth-saml2-entity-name=http://",
      "forgerock-am-auth-saml2-authn-context-decl-ref=",
      "forgerock-am-auth-saml2-force-authn=none",
      "forgerock-am-auth-saml2-is-passive=none",
      "forgerock-am-auth-saml2-login-chain=",
      "forgerock-am-auth-saml2-auth-comparison=none",
      "forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
      "forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
      "forgerock-am-auth-saml2-authn-context-class-ref=",
      "forgerock-am-auth-saml2-slo-relay=http://",
      "forgerock-am-auth-saml2-allow-create=false",
      "forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
   ]
}

changedfields

VARCHAR(255) NULL

Specifies the columns that were changed. For example, [ "sunKeyValue" ].

rev

VARCHAR(255) NULL

Not used.

component

VARCHAR(255) NULL

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realm

VARCHAR(255) NULL

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/“) or the sub-realm name (”/shop").

am_auditconfig

Column Datatype Description

id

VARCHAR(56) NOT NULL

Specifies a universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_

VARCHAR(29) NULL

Specifies the timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2015-11-14T00:16:04.653Z

transactionid

VARCHAR(255) NULL

Specifies the UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

AM supports a feature where a trusted AM deployment with multiple instances, components, and ForgeRock products can propagate a transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventname

VARCHAR(255) NULL

Specifies the name of the audit event. For example, AM-CONFIG-CHANGE. For a list of audit event names, see Audit log events.

userid

VARCHAR(255) NULL

Specifies the universal identifier for authenticated users. For example, id=scarter,ou=user,o=shop,ou=services,dc=example,dc=com.

trackingids

MEDIUMTEXT

Specifies the tracking IDs of the event, used by all topics.

runas

VARCHAR(255) NULL

Specifies the user to run the activity as. May be used in delegated administration. For example, uid=amAdmin,ou=People,dc=example,dc=com.

objectid

VARCHAR(255) NULL

Specifies the identifier of a system object that has been created, modified, or deleted. For example, ou=SamuelTwo,ou=default,ou=OrganizationConfig,ou=1.0, ou=iPlanetAMAuthSAML2Service,ou=services,o=shop,ou=services,dc=example,dc=com.

operation

VARCHAR(255) NULL

Specifies the state change operation invoked: CREATE, MODIFY, or DELETE.

beforeObject

MEDIUMTEXT NULL

Specifies the JSON representation of the object prior to the activity. For example:

{
   "sunsmspriority":[
      "0"
   ],
   "objectclass":[
      "top",
      "sunServiceComponent",
      "organizationalUnit"
   ],
   "ou":[
      "SamuelTwo"
   ],
   "sunserviceID":[
      "serverconfig"
   ]
}

afterObject

MEDIUMTEXT NULL

Specifies the JSON representation of the object after the activity. For example:

{
  "sunKeyValue":[
      "forgerock-am-auth-saml2-auth-level=0",
      "forgerock-am-auth-saml2-meta-alias=/sp",
      "forgerock-am-auth-saml2-entity-name=http://",
      "forgerock-am-auth-saml2-authn-context-decl-ref=",
      "forgerock-am-auth-saml2-force-authn=none",
      "forgerock-am-auth-saml2-is-passive=none",
      "forgerock-am-auth-saml2-login-chain=",
      "forgerock-am-auth-saml2-auth-comparison=none",
      "forgerock-am-auth-saml2-req-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
      "forgerock-am-auth-saml2-binding= urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact",
      "forgerock-am-auth-saml2-authn-context-class-ref=",
      "forgerock-am-auth-saml2-slo-relay=http://",
      "forgerock-am-auth-saml2-allow-create=false",
      "forgerock-am-auth-saml2-name-id-format= urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
   ]
}

changedfields

VARCHAR(255) NULL

Specifies the columns that were changed. For example, [ "sunKeyValue" ].

rev

VARCHAR(255)

Not used.

component

VARCHAR(255) NULL

Specifies the AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realm

VARCHAR(255) NULL

Specifies the realm where the operation occurred. For example, the Top Level Realm ("/“) or the sub-realm name (”/shop").