ForgeRock

Collect audit logs from ForgeRock with Elastic Agent.

Version
1.18.4 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

ForgeRock is a modern identity platform which helps organizations radically simplify identity and access management (IAM) and identity governance and administration (IGA). The ForgeRock integration collects audit logs from the API.

Configuration

Authorization parameters for the ForgeRock Identity Cloud API (API Key ID, and API Key Secret) can be created in the Identity Cloud admin UI.

Logs

AM_Access events

This is the forgerock.am_access dataset. These logs capture all incoming Identity Cloud access calls as audit events. This includes who, what, when, and the output for every access request. More information about these logs.

An example event for am_access looks as following:

{
    "@timestamp": "2022-11-06T18:16:43.813Z",
    "agent": {
        "ephemeral_id": "82b02cc6-7222-4ccc-b7f4-4c1c55315484",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_access",
        "namespace": "51919",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "AM-SESSION-IDLE_TIMED_OUT",
        "agent_id_status": "verified",
        "created": "2024-06-12T03:05:10.979Z",
        "dataset": "forgerock.am_access",
        "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-79599",
        "ingested": "2024-06-12T03:05:14Z",
        "type": [
            "access"
        ]
    },
    "forgerock": {
        "eventName": "AM-SESSION-IDLE_TIMED_OUT",
        "level": "INFO",
        "objectId": "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901",
        "realm": "/",
        "source": "audit",
        "topic": "activity",
        "trackingIds": [
            "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "service": {
        "name": "Session"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-am-access"
    ],
    "transaction": {
        "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-1"
    },
    "user": {
        "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.eventName
The name of the audit event.
keyword
forgerock.http.request.headers.*
The headers of the HTTP request.
object
forgerock.http.request.headers.accept
The accept parameter for the request.
keyword
forgerock.http.request.headers.accept-api-version
The accept-api-version header of the HTTP request.
keyword
forgerock.http.request.headers.content-type
The content-type header of the HTTP request.
keyword
forgerock.http.request.headers.host
The host header of the HTTP request.
keyword
forgerock.http.request.headers.origin
The origin header of the HTTP request.
keyword
forgerock.http.request.headers.user-agent
The user-agent header of the HTTP request.
keyword
forgerock.http.request.headers.x-forwarded-for
The x-forwarded-for header of the HTTP request.
keyword
forgerock.http.request.headers.x-forwarded-proto
The x-forwaded-proto header of the HTTP request.
keyword
forgerock.http.request.headers.x-requested-with
The x-requested with header of the HTTP request.
keyword
forgerock.http.request.queryParameters.*
The query parameter string of the HTTP request.
object
forgerock.http.request.secure
A flag describing whether or not the HTTP request was secure.
boolean
forgerock.level
The log level.
keyword
forgerock.objectId
Specifies the identifier of an object that has been created, updated, or deleted.
keyword
forgerock.realm
The realm where the operation occurred.
keyword
forgerock.request.detail.*
Details around the response status.
object
forgerock.request.detail.action
Details around the request action.
keyword
forgerock.request.detail.grant_type
The request's grant type.
keyword
forgerock.request.detail.scope
The request's scope.
keyword
forgerock.request.detail.token_type_hint
The request's token type.
keyword
forgerock.request.operation
The request operation.
keyword
forgerock.request.protocol
The protocol associated with the request; REST or PLL.
keyword
forgerock.response.detail.*
Details around the response status.
object
forgerock.response.detail.active
A flag for whether or not the response was active.
boolean
forgerock.response.detail.client_id
The responses's client id.
keyword
forgerock.response.detail.revision
The responses's revision.
keyword
forgerock.response.detail.scope
The responses's scope.
keyword
forgerock.response.detail.token_type
The responses's token type.
keyword
forgerock.response.detail.username
The responses's username.
keyword
forgerock.response.elapsedTime
Time to execute event.
date
forgerock.response.elapsedTimeUnits
Units for response time.
keyword
forgerock.response.status
Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED.
keyword
forgerock.roles
IDM roles associated with the request.
keyword
forgerock.source
The source of the event.
keyword
forgerock.topic
The topic of the event.
keyword
forgerock.trackingIds
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.
keyword
http.request.Path
The path of the HTTP request.
keyword
input.type
Input type
keyword

AM_Activity events

This is the forgerock.am_activity dataset. These logs capture state changes to objects that have been created, updated, or deleted by Identity Cloud end users. This includes session, user profile, and device profile changes. More information about these logs.

An example event for am_activity looks as following:

{
    "@timestamp": "2022-10-05T20:55:59.966Z",
    "agent": {
        "ephemeral_id": "9db3f780-4230-43f5-832f-203266705932",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_activity",
        "namespace": "71478",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "AM-SESSION-CREATED",
        "agent_id_status": "verified",
        "created": "2024-06-12T03:05:53.025Z",
        "dataset": "forgerock.am_activity",
        "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438366",
        "ingested": "2024-06-12T03:05:57Z",
        "reason": "CREATE"
    },
    "forgerock": {
        "level": "INFO",
        "objectId": "45463f84-ff1b-499f-aa84-8d4bd93150de-438033",
        "realm": "/",
        "source": "audit",
        "topic": "activity",
        "trackingIds": [
            "45463f84-ff1b-499f-aa84-8d4bd93150de-438033"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "service": {
        "name": "Session"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-am-activity"
    ],
    "transaction": {
        "id": "5ff83988-8f23-4108-9359-42658fcfc4d1-request-3/0"
    },
    "user": {
        "effective": {
            "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config"
        },
        "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.after.*
Specifies the JSON representation of the object after the activity.
object
forgerock.before.*
Specifies the JSON representation of the object prior to the activity.
object
forgerock.changedFields
Specifies the fields that were changed.
keyword
forgerock.eventName
The name of the audit event.
keyword
forgerock.level
The log level.
keyword
forgerock.objectId
Specifies the identifier of an object that has been created, updated, or deleted.
keyword
forgerock.realm
The realm where the operation occurred.
keyword
forgerock.source
The source of the event.
keyword
forgerock.topic
The topic of the event.
keyword
forgerock.trackingIds
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.
keyword
input.type
Input type
keyword

AM_Authentication events

This is the forgerock.am_authentication dataset. These logs capture when and how a user is authenticated and related audit events. More information about these logs.

An example event for am_authentication looks as following:

{
    "@timestamp": "2022-10-05T18:21:48.253Z",
    "agent": {
        "ephemeral_id": "2ffe10cc-935a-4457-869f-95b732cb0c8b",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_authentication",
        "namespace": "88343",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "AM-LOGIN-COMPLETED",
        "agent_id_status": "verified",
        "category": [
            "authentication"
        ],
        "created": "2024-06-12T03:06:40.162Z",
        "dataset": "forgerock.am_authentication",
        "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208",
        "ingested": "2024-06-12T03:06:44Z",
        "outcome": "success"
    },
    "forgerock": {
        "entries": [
            {
                "info": {
                    "authIndex": "module_instance",
                    "authIndexValue": "Application",
                    "authLevel": "0",
                    "ipAddress": "1.128.0.0"
                },
                "moduleId": "Application"
            }
        ],
        "eventName": "AM-LOGIN-COMPLETED",
        "level": "INFO",
        "principal": [
            "autoid-resource-server"
        ],
        "realm": "/",
        "source": "audit",
        "topic": "authentication",
        "trackingIds": [
            "45463f84-ff1b-499f-aa84-8d4bd93150de-256204"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "service": {
        "name": "Authentication"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-am-authentication"
    ],
    "transaction": {
        "id": "1664994108247-9f138d8fc9f59d23164c-26466/0"
    },
    "user": {
        "id": "id=autoid-resource-server,ou=agent,ou=am-config"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.entries
The JSON representation of the details of an authentication module, chain, tree, or node.
flattened
forgerock.eventName
The name of the audit event.
keyword
forgerock.level
The log level.
keyword
forgerock.principal
The array of accounts used to authenticate.
keyword
forgerock.realm
The realm where the operation occurred.
keyword
forgerock.source
The source of the event.
keyword
forgerock.topic
The topic of the event.
keyword
forgerock.trackingIds
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.
keyword
input.type
Input type
keyword

AM_Config events

This is the forgerock.am_config dataset. These logs capture access management configuration changes for Identity Cloud with a timestamp and by whom. More information about these logs.

An example event for am_config looks as following:

{
    "@timestamp": "2022-09-20T14:40:10.664Z",
    "agent": {
        "ephemeral_id": "4afe06fa-469e-40e2-babb-b30baf137536",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_config",
        "namespace": "65246",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "AM-CONFIG-CHANGE",
        "agent_id_status": "verified",
        "category": [
            "configuration"
        ],
        "created": "2024-06-12T03:07:28.334Z",
        "dataset": "forgerock.am_config",
        "id": "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-20605",
        "ingested": "2024-06-12T03:07:31Z"
    },
    "forgerock": {
        "level": "INFO",
        "objectId": "ou=test,ou=agentgroup,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,o=alpha,ou=services,ou=am-config",
        "operation": "CREATE",
        "realm": "/alpha",
        "source": "audit",
        "topic": "config",
        "trackingIds": [
            "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-5563"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-am-config"
    ],
    "transaction": {
        "id": "1663684810619-c42f8145dec437c43428-2465/0"
    },
    "user": {
        "effective": {
            "id": "id=dsameuser,ou=user,ou=am-config"
        },
        "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.changedFields
Specifies the fields that were changed.
keyword
forgerock.eventName
The name of the audit event.
keyword
forgerock.level
The log level.
keyword
forgerock.objectId
Specifies the identifier of an object that has been created, updated, or deleted.
keyword
forgerock.operation
The state change operation invoked.
keyword
forgerock.realm
The realm where the operation occurred.
keyword
forgerock.source
The source of the event.
keyword
forgerock.topic
The topic of the event.
keyword
forgerock.trackingIds
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.
keyword
input.type
Input type
keyword

AM_Core events

This is the forgerock.am_core dataset. These logs capture access management debug logs for Identity Cloud. More information about these logs.

An example event for am_core looks as following:

{
    "@timestamp": "2022-12-05T19:29:20.845Z",
    "agent": {
        "ephemeral_id": "b802141d-9281-4caa-bb31-d5561f968ee5",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_core",
        "namespace": "90018",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:08:15.631Z",
        "dataset": "forgerock.am_core",
        "ingested": "2024-06-12T03:08:19Z",
        "reason": "Connection attempt failed: availableConnections=0, maxPoolSize=10"
    },
    "forgerock": {
        "context": "default"
    },
    "input": {
        "type": "httpjson"
    },
    "log": {
        "level": "DEBUG",
        "logger": "org.forgerock.opendj.ldap.CachedConnectionPool"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "process": {
        "name": "LDAP SDK Default Scheduler"
    },
    "tags": [
        "forwarded",
        "forgerock-debug",
        "forgerock-am-core"
    ]
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.context
The context of the debug event.
keyword
input.type
Input type
keyword

IDM_access events

This is the forgerock.idm_access dataset. These logs capture messages for the identity management REST endpoints and the invocation of scheduled tasks. This is the who, what, and output for every identity management access request in Identity Cloud. More information about these logs.

An example event for idm_access looks as following:

{
    "@timestamp": "2022-11-01T15:04:50.110Z",
    "agent": {
        "ephemeral_id": "1c6538cf-fe70-498c-8919-a60c26ffcfac",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "client": {
        "ip": "216.160.83.56",
        "port": 56278
    },
    "data_stream": {
        "dataset": "forgerock.idm_access",
        "namespace": "61539",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:09:02.660Z",
        "dataset": "forgerock.idm_access",
        "duration": 2000000,
        "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49025",
        "ingested": "2024-06-12T03:09:14Z",
        "outcome": "success",
        "type": [
            "access"
        ]
    },
    "forgerock": {
        "eventName": "access",
        "http": {
            "request": {
                "headers": {
                    "host": [
                        "idm"
                    ]
                },
                "secure": false
            }
        },
        "level": "INFO",
        "request": {
            "operation": "READ",
            "protocol": "CREST"
        },
        "response": {
            "elapsedTime": 2,
            "elapsedTimeUnits": "MILLISECONDS",
            "status": "SUCCESSFUL"
        },
        "roles": [
            "internal/role/openidm-reg"
        ],
        "source": "audit",
        "topic": "access"
    },
    "http": {
        "request": {
            "Path": "http://idm/openidm/info/ping",
            "method": "GET"
        },
        "response": {
            "status_code": 200
        }
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "server": {
        "ip": "81.2.69.142"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-access"
    ],
    "transaction": {
        "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49021"
    },
    "user": {
        "id": "anonymous"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.eventName
The name of the audit event.
keyword
forgerock.http.request.headers.host
The host header of the HTTP request.
keyword
forgerock.http.request.secure
A flag describing whether or not the HTTP request was secure.
boolean
forgerock.level
The log level.
keyword
forgerock.request.operation
The request operation.
keyword
forgerock.request.protocol
The protocol associated with the request; REST or PLL.
keyword
forgerock.response.elapsedTime
Time to execute event.
date
forgerock.response.elapsedTimeUnits
Units for response time.
keyword
forgerock.response.status
Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED.
keyword
forgerock.roles
IDM roles associated with the request.
keyword
forgerock.source
The source of the event.
keyword
forgerock.topic
The topic of the event.
keyword
http.request.Path
The path of the HTTP request.
keyword
input.type
Input type
keyword

IDM_activity events

This is the forgerock.idm_activity dataset. These logs capture operations on internal (managed) and external (system) objects in Identity Cloud. idm-activity logs the changes to identity content, such as adding or updating users, changing passwords, etc. More information about these logs.

An example event for idm_activity looks as following:

{
    "@timestamp": "2022-11-01T18:02:39.882Z",
    "agent": {
        "ephemeral_id": "18f29cf6-4b37-4c4d-8d49-91bf8719e14c",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_activity",
        "namespace": "89179",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:09:56.979Z",
        "dataset": "forgerock.idm_activity",
        "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-268906",
        "ingested": "2024-06-12T03:10:08Z",
        "outcome": "success"
    },
    "forgerock": {
        "eventName": "relationship_created",
        "level": "INFO",
        "message": "Relationship originating from managed/alpha_organization/e6df3df4-c798-4187-ba06-db8e6ae3db88 via the relationship field parent and referencing managed/alpha_organization/c4de605d-9d1b-439e-9ea8-9aba47e01008  was created.",
        "objectId": "managed/alpha_organization/e6df3df4-c798-4187-ba06-db8e6ae3db88/parent/bb20cd10-e6ad-48fd-8ef1-e8d4c3f7859f",
        "operation": "CREATE",
        "passwordChanged": false,
        "revision": "00000000478fd92b",
        "source": "audit",
        "topic": "activity"
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-activity"
    ],
    "transaction": {
        "id": "1667325742545-ee41d6454a6b4a815b69-24798/0"
    },
    "user": {
        "effective": {
            "id": "9120c7db-d7e6-4b51-b805-07bbee7a4bb9"
        },
        "id": "9120c7db-d7e6-4b51-b805-07bbee7a4bb9"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.eventName
The name of the audit event.
keyword
forgerock.level
The log level.
keyword
forgerock.message
Human readable text about the action.
keyword
forgerock.objectId
Specifies the identifier of an object that has been created, updated, or deleted.
keyword
forgerock.operation
The state change operation invoked.
keyword
forgerock.passwordChanged
Boolean specifying whether changes were made to the password.
boolean
forgerock.revision
Specifies the object revision number.
keyword
forgerock.source
The source of the event.
keyword
forgerock.topic
The topic of the event.
keyword
input.type
Input type
keyword

IDM_authentication events

This is the forgerock.idm_authentication dataset. These logs capture the results when you authenticate to an /openidm​ endpoint to complete certain actions on an object. More information about these logs.

An example event for idm_authentication looks as following:

{
    "@timestamp": "2022-10-05T18:21:48.253Z",
    "agent": {
        "ephemeral_id": "a585941c-cf1b-4f9e-ab31-9f02ad2f3a8d",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_authentication",
        "namespace": "54220",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "authentication"
        ],
        "created": "2024-06-12T03:10:55.079Z",
        "dataset": "forgerock.idm_authentication",
        "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208",
        "ingested": "2024-06-12T03:11:07Z",
        "outcome": "success"
    },
    "forgerock": {
        "entries": [
            {
                "info": {
                    "authIndex": "module_instance",
                    "authIndexValue": "Application",
                    "authLevel": "0",
                    "ipAddress": "1.128.0.0"
                },
                "moduleId": "Application"
            }
        ],
        "eventName": "authentication",
        "level": "INFO",
        "method": "MANAGED_USER",
        "principal": [
            "openidm-admin"
        ],
        "result": "SUCCESSFUL",
        "topic": "authentication",
        "trackingIds": [
            "45463f84-ff1b-499f-aa84-8d4bd93150de-256204"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-authentication"
    ],
    "transaction": {
        "id": "1664994108247-9f138d8fc9f59d23164c-26466/0"
    },
    "user": {
        "id": "id=user"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.entries
The JSON representation of the details of an authentication module, chain, tree, or node.
flattened
forgerock.eventName
The name of the audit event.
keyword
forgerock.level
The log level.
keyword
forgerock.method
The authentication method, such as JWT or MANAGED_USER.
keyword
forgerock.principal
The array of accounts used to authenticate.
keyword
forgerock.result
Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED.
keyword
forgerock.topic
The topic of the event.
keyword
forgerock.trackingIds
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.
keyword
input.type
Input type
keyword

IDM_config events

This is the forgerock.idm_config dataset. These logs capture configuration changes to Identity Cloud with a timestamp and by whom. More information about these logs.

An example event for idm_config looks as following:

{
    "@timestamp": "2022-10-19T16:12:12.549Z",
    "agent": {
        "ephemeral_id": "fb37ec3d-49b8-4a56-8540-f9bf8f749477",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_config",
        "namespace": "74292",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "configuration"
        ],
        "created": "2024-06-12T03:11:48.197Z",
        "dataset": "forgerock.idm_config",
        "id": "5e787c05-c32f-40d3-9e77-666376f6738f-134332",
        "ingested": "2024-06-12T03:12:00Z"
    },
    "forgerock": {
        "changedFields": [
            "/mappings"
        ],
        "eventName": "CONFIG",
        "level": "INFO",
        "objectId": "sync",
        "source": "audit",
        "topic": "config"
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-config"
    ],
    "transaction": {
        "id": "1666195908296-b802a87436c00618a43e-13149/0"
    },
    "user": {
        "effective": {
            "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf"
        },
        "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.changedFields
Specifies the fields that were changed.
keyword
forgerock.eventName
The name of the audit event.
keyword
forgerock.level
The log level.
keyword
forgerock.objectId
Specifies the identifier of an object that has been created, updated, or deleted.
keyword
forgerock.source
The source of the event.
keyword
forgerock.topic
The topic of the event.
keyword
input.type
Input type
keyword

IDM_core events

This is the forgerock.idm_core dataset. These logs capture identity management debug logs for Identity Cloud. More information about these logs.

An example event for idm_core looks as following:

{
    "@timestamp": "2022-12-05T20:01:34.448Z",
    "agent": {
        "ephemeral_id": "0ecd4e49-8926-4644-a9ac-e464dcb4f31c",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_core",
        "namespace": "52603",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:12:40.380Z",
        "dataset": "forgerock.idm_core",
        "ingested": "2024-06-12T03:12:52Z",
        "reason": "Dec 05, 2022 8:01:34 PM org.forgerock.openidm.internal.InternalObjectSet readInstance"
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-debug",
        "forgerock-idm-core"
    ]
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.idm_core.message
keyword
forgerock.idm_core.name
keyword
forgerock.idm_core.target
keyword
forgerock.idm_core.type
keyword
input.type
Input type
keyword

IDM_sync events

This is the forgerock.idm_sync dataset. These logs capture any changes made to an object resulting in automatic sync (live sync and implicit sync) to occur when you have a repository mapped to Identity Cloud. More information about these logs.

An example event for idm_sync looks as following:

{
    "@timestamp": "2022-10-19T16:09:17.900Z",
    "agent": {
        "ephemeral_id": "9597c9be-7da7-4082-890f-94632a9bdfed",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_sync",
        "namespace": "29113",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:13:33.362Z",
        "dataset": "forgerock.idm_sync",
        "id": "5e787c05-c32f-40d3-9e77-666376f6738f-130280",
        "ingested": "2024-06-12T03:13:45Z",
        "outcome": "success"
    },
    "forgerock": {
        "action": "ASYNC",
        "eventName": "sync",
        "level": "INFO",
        "linkQualifier": "default",
        "mapping": "managedalpha_user_managedMarketinglist",
        "situation": "SOURCE_IGNORED",
        "source": "audit",
        "sourceObjectId": "managed/alpha_user/9d88b635-9b7a-48d3-9a57-1978b99a5f41",
        "topic": "sync"
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-sync"
    ],
    "transaction": {
        "id": "1666195747447-56a35455016b7da218a6-11991/0"
    },
    "user": {
        "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
forgerock.action
The synchronization action, depicted as a Common REST action.
keyword
forgerock.eventName
The name of the audit event.
keyword
forgerock.level
The log level.
keyword
forgerock.linkQualifier
ForgeRock's link qualifier applied to the action.
keyword
forgerock.mapping
Name of the mapping used for the synchronization operation.
keyword
forgerock.situation
keyword
forgerock.source
The source of the event.
keyword
forgerock.sourceObjectId
Object ID on the source system.
keyword
forgerock.targetObjectId
Object ID on the target system
keyword
forgerock.topic
The topic of the event.
keyword
input.type
Input type
keyword

Changelog

VersionDetailsKibana version(s)

1.18.4

Bug fix View pull request
Fix handling of endTime query parameter.

8.13.0 or higher

1.18.3

Bug fix View pull request
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

1.18.2

Bug fix View pull request
Fix handling of idm_core object payloads.

8.13.0 or higher

1.18.1

Bug fix View pull request
Fix handling of query time ranges.

8.13.0 or higher

1.18.0

Enhancement View pull request
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.17.1

Bug fix View pull request
Fix sample event.

8.12.0 or higher

1.17.0

Enhancement View pull request
Make event.type and event.category fields conform to ECS field definition.

8.12.0 or higher

1.16.0

Enhancement View pull request
Improve handling of empty responses.

8.12.0 or higher

1.15.0

Enhancement View pull request
Set sensitive values as secret.

8.12.0 or higher

1.14.1

Enhancement View pull request
Changed owners

8.7.1 or higher

1.14.0

Enhancement View pull request
Limit request tracer log count to five.

8.7.1 or higher

1.13.0

Enhancement View pull request
ECS version updated to 8.11.0.

8.7.1 or higher

1.12.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

8.7.1 or higher

1.11.0

Enhancement View pull request
Use dynamic mappings for object fields.

8.7.1 or higher

1.10.0

Enhancement View pull request
ECS version updated to 8.10.0.

8.7.1 or higher

1.9.0

Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.

8.7.1 or higher

1.8.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.7.1 or higher

1.7.0

Enhancement View pull request
Update package-spec to 2.10.0.

8.7.1 or higher

1.6.0

Enhancement View pull request
Update package to ECS 8.9.0.

8.7.1 or higher

1.5.0

Enhancement View pull request
Document duration units.

8.7.1 or higher

1.4.0

Enhancement View pull request
Document valid duration units.

8.7.1 or higher

1.3.1

Bug fix View pull request
Fix IDM Activity revision field type.

8.7.1 or higher

1.3.0

Enhancement View pull request
Update package to ECS 8.8.0.

8.7.1 or higher

1.2.0

Enhancement View pull request
Add a new flag to enable request tracing

8.7.1 or higher

1.1.0

Enhancement View pull request
Update package to ECS 8.7.0.

7.17.0 or higher
8.0.0 or higher

1.0.0

Enhancement View pull request
Initial draft of the package

7.17.0 or higher
8.0.0 or higher

On this page