---
title: Audit log schema
description: "Schema for the six PingIDM audit event topics: access, activity, authentication, config, recon, and sync, and how to parse audit log files"
component: pingidm
version: 8.1
page_id: pingidm:audit-guide:audit-schema
canonical_url: https://docs.pingidentity.com/pingidm/8.1/audit-guide/audit-schema.html
keywords: ["Audit", "Logs", "Schema"]
---

# Audit log schema

The tables in this section show the schema for the six audit event topics. For the JSON audit event handler, each audit topic is logged to a distinct JSON file, with the topic in the filename. Files are created in the `openidm/audit` directory by default:

* `access.audit.json`

* `activity.audit.json`

* `authentication.audit.json`

* `config.audit.json`

* `recon.audit.json`

* `sync.audit.json`

You can parse the files in the `openidm/audit` directory using a JSON processor, such as `jq`. For example:

```
tail -f authentication.audit.json | jq .
{
  "context": {
    "component": "internal/user",
    "roles": [
      "internal/role/openidm-admin",
      "internal/role/openidm-authorized"
    ],
    "ipAddress": "0:0:0:0:0:0:0:1",
    "id": "openidm-admin",
    "moduleId": "INTERNAL_USER"
  },
  "entries": [
    {
      "moduleId": "JwtSession",
      "result": "SUCCESSFUL",
      "info": {
        "org.forgerock.authentication.principal": "openidm-admin"
      }
    }
  ],
  "principal": [
    "openidm-admin"
  ],
...
```