- Elastic integrations
- Integrations quick reference
- 1Password
- Abnormal Security
- ActiveMQ
- Active Directory Entity Analytics
- Admin By Request EPM integration
- Airflow
- Akamai
- Apache
- API (custom)
- Arbor Peakflow SP Logs
- Arista NG Firewall
- Atlassian
- Auditd
- Auth0
- authentik
- AWS
- Amazon CloudFront
- Amazon DynamoDB
- Amazon EBS
- Amazon EC2
- Amazon ECS
- Amazon EMR
- AWS API Gateway
- Amazon GuardDuty
- AWS Health
- Amazon Kinesis Data Firehose
- Amazon Kinesis Data Stream
- Amazon MQ
- Amazon Managed Streaming for Apache Kafka (MSK)
- Amazon NAT Gateway
- Amazon RDS
- Amazon Redshift
- Amazon S3
- Amazon S3 Storage Lens
- Amazon Security Lake
- Amazon SNS
- Amazon SQS
- Amazon VPC
- Amazon VPN
- AWS Bedrock
- AWS Billing
- AWS CloudTrail
- AWS CloudWatch
- AWS ELB
- AWS Fargate
- AWS Inspector
- AWS Lambda
- AWS Logs (custom)
- AWS Network Firewall
- AWS Route 53
- AWS Security Hub
- AWS Transit Gateway
- AWS Usage
- AWS WAF
- Azure
- Activity logs
- App Service
- Application Gateway
- Application Insights metrics
- Application Insights metrics overview
- Application State Insights metrics
- Azure logs (v2 preview)
- Azure OpenAI
- Billing metrics
- Container instance metrics
- Container registry metrics
- Container service metrics
- Custom Azure Logs
- Custom Blob Storage Input
- Database Account metrics
- Event Hub input
- Firewall logs
- Frontdoor
- Functions
- Microsoft Entra ID
- Monitor metrics
- Network Watcher VNet
- Network Watcher NSG
- Platform logs
- Resource metrics
- Spring Cloud logs
- Storage Account metrics
- Virtual machines metrics
- Virtual machines scaleset metrics
- Barracuda
- BeyondInsight and Password Safe Integration
- BitDefender
- Bitwarden
- blacklens.io
- Blue Coat Director Logs
- BBOT (Bighuge BLS OSINT Tool)
- Box Events
- Bravura Monitor
- Broadcom ProxySG
- Canva
- Cassandra
- CEL Custom API
- Ceph
- Check Point
- Cilium Tetragon
- CISA Known Exploited Vulnerabilities
- Cisco
- Cisco Meraki Metrics
- Citrix
- Claroty CTD
- Cloudflare
- Cloud Asset Inventory
- CockroachDB Metrics
- Common Event Format (CEF)
- Containerd
- CoreDNS
- Corelight
- Couchbase
- CouchDB
- Cribl
- CrowdStrike
- Cyberark
- Cybereason
- CylanceProtect Logs
- Custom Websocket logs
- Darktrace
- Data Exfiltration Detection
- DGA
- Digital Guardian
- Docker
- DomainTools Real Time Unified Feeds
- Elastic APM
- Elastic Fleet Server
- Elastic Security
- Elastic Stack monitoring
- Elasticsearch Service Billing
- Envoy Proxy
- ESET PROTECT
- ESET Threat Intelligence
- etcd
- Falco
- F5
- File Integrity Monitoring
- FireEye Network Security
- First EPSS
- Forcepoint Web Security
- ForgeRock
- Fortinet
- Gigamon
- GitHub
- GitLab
- Golang
- Google Cloud
- Custom GCS Input
- GCP
- GCP Audit logs
- GCP Billing metrics
- GCP Cloud Run metrics
- GCP CloudSQL metrics
- GCP Compute metrics
- GCP Dataproc metrics
- GCP DNS logs
- GCP Firestore metrics
- GCP Firewall logs
- GCP GKE metrics
- GCP Load Balancing metrics
- GCP Metrics Input
- GCP PubSub logs (custom)
- GCP PubSub metrics
- GCP Redis metrics
- GCP Security Command Center
- GCP Storage metrics
- GCP VPC Flow logs
- GCP Vertex AI
- GoFlow2 logs
- Hadoop
- HAProxy
- Hashicorp Vault
- HTTP Endpoint logs (custom)
- IBM MQ
- IIS
- Imperva
- InfluxDb
- Infoblox
- Iptables
- Istio
- Jamf Compliance Reporter
- Jamf Pro
- Jamf Protect
- Jolokia Input
- Journald logs (custom)
- JumpCloud
- Kafka
- Keycloak
- Kubernetes
- LastPass
- Lateral Movement Detection
- Linux Metrics
- Living off the Land Attack Detection
- Logs (custom)
- Lumos
- Lyve Cloud
- Mattermost
- Memcached
- Menlo Security
- Microsoft
- Microsoft 365
- Microsoft Defender for Cloud
- Microsoft Defender for Endpoint
- Microsoft DHCP
- Microsoft DNS Server
- Microsoft Entra ID Entity Analytics
- Microsoft Exchange Online Message Trace
- Microsoft Exchange Server
- Microsoft Graph Activity Logs
- Microsoft M365 Defender
- Microsoft Office 365 Metrics Integration
- Microsoft Sentinel
- Microsoft SQL Server
- Mimecast
- ModSecurity Audit
- MongoDB
- MongoDB Atlas
- MySQL
- Nagios XI
- NATS
- NetFlow Records
- Netskope
- Network Beaconing Identification
- Network Packet Capture
- Nginx
- Okta
- Oracle
- OpenAI
- OpenCanary
- Osquery
- Palo Alto
- pfSense
- PHP-FPM
- PingOne
- PingFederate
- Pleasant Password Server
- PostgreSQL
- Prometheus
- Proofpoint TAP
- Proofpoint On Demand
- Pulse Connect Secure
- Qualys VMDR
- QNAP NAS
- RabbitMQ Logs
- Radware DefensePro Logs
- Rapid7
- Redis
- Rubrik RSC Metrics Integration
- Sailpoint Identity Security Cloud
- Salesforce
- SentinelOne
- ServiceNow
- Slack Logs
- Snort
- Snyk
- SonicWall Firewall
- Sophos
- Spring Boot
- SpyCloud Enterprise Protection
- SQL Input
- Squid Logs
- SRX
- STAN
- Statsd Input
- Sublime Security
- Suricata
- StormShield SNS
- Symantec
- Symantec Endpoint Security
- Sysmon for Linux
- Sysdig
- Syslog Router Integration
- System
- System Audit
- Tanium
- TCP Logs (custom)
- Tenable OT Security
- Teleport
- Tenable
- Threat intelligence
- ThreatConnect
- Threat Map
- Thycotic Secret Server
- Tines
- Traefik
- Trellix
- Trend Micro
- TYCHON Agentless
- UDP Logs (custom)
- Universal Profiling
- Varonis integration
- Vectra Detect
- VMware
- WatchGuard Firebox
- WebSphere Application Server
- Windows
- Wiz
- Zeek
- ZeroFox
- Zero Networks
- ZooKeeper Metrics
- Zoom
- Zscaler
ForgeRock Identity Platform
editForgeRock Identity Platform
editVersion |
1.21.0 (View all) |
Compatible Kibana version(s) |
8.13.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
ForgeRock is a modern identity platform which helps organizations radically simplify identity and access management (IAM) and identity governance and administration (IGA). The ForgeRock integration collects audit logs from the API.
Configuration
editAuthorization parameters for the ForgeRock Identity Cloud API (API Key ID, and API Key Secret) can be created in the Identity Cloud admin UI.
Logs
editAM_Access events
editThis is the forgerock.am_access dataset. These logs capture all incoming Identity Cloud access calls as audit events. This includes who, what, when, and the output for every access request. More information about these logs.
Example
An example event for am_access looks as following:
{ "@timestamp": "2022-11-06T18:16:43.813Z", "agent": { "ephemeral_id": "82b02cc6-7222-4ccc-b7f4-4c1c55315484", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_access", "namespace": "51919", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "action": "AM-SESSION-IDLE_TIMED_OUT", "agent_id_status": "verified", "created": "2024-06-12T03:05:10.979Z", "dataset": "forgerock.am_access", "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-79599", "ingested": "2024-06-12T03:05:14Z", "type": [ "access" ] }, "forgerock": { "eventName": "AM-SESSION-IDLE_TIMED_OUT", "level": "INFO", "objectId": "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901", "realm": "/", "source": "audit", "topic": "activity", "trackingIds": [ "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901" ] }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "service": { "name": "Session" }, "tags": [ "forwarded", "forgerock-audit", "forgerock-am-access" ], "transaction": { "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-1" }, "user": { "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.eventName |
The name of the audit event. |
keyword |
forgerock.http.request.headers.* |
The headers of the HTTP request. |
object |
forgerock.http.request.headers.accept |
The accept parameter for the request. |
keyword |
forgerock.http.request.headers.accept-api-version |
The accept-api-version header of the HTTP request. |
keyword |
forgerock.http.request.headers.content-type |
The content-type header of the HTTP request. |
keyword |
forgerock.http.request.headers.host |
The host header of the HTTP request. |
keyword |
forgerock.http.request.headers.origin |
The origin header of the HTTP request. |
keyword |
forgerock.http.request.headers.user-agent |
The user-agent header of the HTTP request. |
keyword |
forgerock.http.request.headers.x-forwarded-for |
The x-forwarded-for header of the HTTP request. |
keyword |
forgerock.http.request.headers.x-forwarded-proto |
The x-forwaded-proto header of the HTTP request. |
keyword |
forgerock.http.request.headers.x-requested-with |
The x-requested with header of the HTTP request. |
keyword |
forgerock.http.request.queryParameters.* |
The query parameter string of the HTTP request. |
object |
forgerock.http.request.secure |
A flag describing whether or not the HTTP request was secure. |
boolean |
forgerock.level |
The log level. |
keyword |
forgerock.objectId |
Specifies the identifier of an object that has been created, updated, or deleted. |
keyword |
forgerock.realm |
The realm where the operation occurred. |
keyword |
forgerock.request.detail.* |
Details around the response status. |
object |
forgerock.request.detail.action |
Details around the request action. |
keyword |
forgerock.request.detail.grant_type |
The request’s grant type. |
keyword |
forgerock.request.detail.scope |
The request’s scope. |
keyword |
forgerock.request.detail.token_type_hint |
The request’s token type. |
keyword |
forgerock.request.operation |
The request operation. |
keyword |
forgerock.request.protocol |
The protocol associated with the request; REST or PLL. |
keyword |
forgerock.response.detail.* |
Details around the response status. |
object |
forgerock.response.detail.active |
A flag for whether or not the response was active. |
boolean |
forgerock.response.detail.client_id |
The responses’s client id. |
keyword |
forgerock.response.detail.revision |
The responses’s revision. |
keyword |
forgerock.response.detail.scope |
The responses’s scope. |
keyword |
forgerock.response.detail.token_type |
The responses’s token type. |
keyword |
forgerock.response.detail.username |
The responses’s username. |
keyword |
forgerock.response.elapsedTime |
Time to execute event. |
date |
forgerock.response.elapsedTimeUnits |
Units for response time. |
keyword |
forgerock.response.status |
Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED. |
keyword |
forgerock.roles |
IDM roles associated with the request. |
keyword |
forgerock.source |
The source of the event. |
keyword |
forgerock.topic |
The topic of the event. |
keyword |
forgerock.trackingIds |
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. |
keyword |
http.request.Path |
The path of the HTTP request. |
keyword |
input.type |
Input type |
keyword |
AM_Activity events
editThis is the forgerock.am_activity dataset. These logs capture state changes to objects that have been created, updated, or deleted by Identity Cloud end users. This includes session, user profile, and device profile changes. More information about these logs.
Example
An example event for am_activity looks as following:
{ "@timestamp": "2022-10-05T20:55:59.966Z", "agent": { "ephemeral_id": "9db3f780-4230-43f5-832f-203266705932", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_activity", "namespace": "71478", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "action": "AM-SESSION-CREATED", "agent_id_status": "verified", "created": "2024-06-12T03:05:53.025Z", "dataset": "forgerock.am_activity", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438366", "ingested": "2024-06-12T03:05:57Z", "reason": "CREATE" }, "forgerock": { "level": "INFO", "objectId": "45463f84-ff1b-499f-aa84-8d4bd93150de-438033", "realm": "/", "source": "audit", "topic": "activity", "trackingIds": [ "45463f84-ff1b-499f-aa84-8d4bd93150de-438033" ] }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "service": { "name": "Session" }, "tags": [ "forwarded", "forgerock-audit", "forgerock-am-activity" ], "transaction": { "id": "5ff83988-8f23-4108-9359-42658fcfc4d1-request-3/0" }, "user": { "effective": { "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" }, "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.after.* |
Specifies the JSON representation of the object after the activity. |
object |
forgerock.before.* |
Specifies the JSON representation of the object prior to the activity. |
object |
forgerock.changedFields |
Specifies the fields that were changed. |
keyword |
forgerock.eventName |
The name of the audit event. |
keyword |
forgerock.level |
The log level. |
keyword |
forgerock.objectId |
Specifies the identifier of an object that has been created, updated, or deleted. |
keyword |
forgerock.realm |
The realm where the operation occurred. |
keyword |
forgerock.source |
The source of the event. |
keyword |
forgerock.topic |
The topic of the event. |
keyword |
forgerock.trackingIds |
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. |
keyword |
input.type |
Input type |
keyword |
AM_Authentication events
editThis is the forgerock.am_authentication dataset. These logs capture when and how a user is authenticated and related audit events. More information about these logs.
Example
An example event for am_authentication looks as following:
{ "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { "ephemeral_id": "2ffe10cc-935a-4457-869f-95b732cb0c8b", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_authentication", "namespace": "88343", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "action": "AM-LOGIN-COMPLETED", "agent_id_status": "verified", "category": [ "authentication" ], "created": "2024-06-12T03:06:40.162Z", "dataset": "forgerock.am_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", "ingested": "2024-06-12T03:06:44Z", "outcome": "success" }, "forgerock": { "entries": [ { "info": { "authIndex": "module_instance", "authIndexValue": "Application", "authLevel": "0", "ipAddress": "1.128.0.0" }, "moduleId": "Application" } ], "eventName": "AM-LOGIN-COMPLETED", "level": "INFO", "principal": [ "autoid-resource-server" ], "realm": "/", "source": "audit", "topic": "authentication", "trackingIds": [ "45463f84-ff1b-499f-aa84-8d4bd93150de-256204" ] }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "service": { "name": "Authentication" }, "tags": [ "forwarded", "forgerock-audit", "forgerock-am-authentication" ], "transaction": { "id": "1664994108247-9f138d8fc9f59d23164c-26466/0" }, "user": { "id": "id=autoid-resource-server,ou=agent,ou=am-config" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.entries |
The JSON representation of the details of an authentication module, chain, tree, or node. |
flattened |
forgerock.eventName |
The name of the audit event. |
keyword |
forgerock.level |
The log level. |
keyword |
forgerock.principal |
The array of accounts used to authenticate. |
keyword |
forgerock.realm |
The realm where the operation occurred. |
keyword |
forgerock.source |
The source of the event. |
keyword |
forgerock.topic |
The topic of the event. |
keyword |
forgerock.trackingIds |
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. |
keyword |
input.type |
Input type |
keyword |
AM_Config events
editThis is the forgerock.am_config dataset. These logs capture access management configuration changes for Identity Cloud with a timestamp and by whom. More information about these logs.
Example
An example event for am_config looks as following:
{ "@timestamp": "2022-09-20T14:40:10.664Z", "agent": { "ephemeral_id": "4afe06fa-469e-40e2-babb-b30baf137536", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_config", "namespace": "65246", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "action": "AM-CONFIG-CHANGE", "agent_id_status": "verified", "category": [ "configuration" ], "created": "2024-06-12T03:07:28.334Z", "dataset": "forgerock.am_config", "id": "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-20605", "ingested": "2024-06-12T03:07:31Z" }, "forgerock": { "level": "INFO", "objectId": "ou=test,ou=agentgroup,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,o=alpha,ou=services,ou=am-config", "operation": "CREATE", "realm": "/alpha", "source": "audit", "topic": "config", "trackingIds": [ "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-5563" ] }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "tags": [ "forwarded", "forgerock-audit", "forgerock-am-config" ], "transaction": { "id": "1663684810619-c42f8145dec437c43428-2465/0" }, "user": { "effective": { "id": "id=dsameuser,ou=user,ou=am-config" }, "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.changedFields |
Specifies the fields that were changed. |
keyword |
forgerock.eventName |
The name of the audit event. |
keyword |
forgerock.level |
The log level. |
keyword |
forgerock.objectId |
Specifies the identifier of an object that has been created, updated, or deleted. |
keyword |
forgerock.operation |
The state change operation invoked. |
keyword |
forgerock.realm |
The realm where the operation occurred. |
keyword |
forgerock.source |
The source of the event. |
keyword |
forgerock.topic |
The topic of the event. |
keyword |
forgerock.trackingIds |
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. |
keyword |
input.type |
Input type |
keyword |
AM_Core events
editThis is the forgerock.am_core dataset. These logs capture access management debug logs for Identity Cloud. More information about these logs.
Example
An example event for am_core looks as following:
{ "@timestamp": "2022-12-05T19:29:20.845Z", "agent": { "ephemeral_id": "b802141d-9281-4caa-bb31-d5561f968ee5", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.am_core", "namespace": "90018", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "agent_id_status": "verified", "created": "2024-06-12T03:08:15.631Z", "dataset": "forgerock.am_core", "ingested": "2024-06-12T03:08:19Z", "reason": "Connection attempt failed: availableConnections=0, maxPoolSize=10" }, "forgerock": { "context": "default" }, "input": { "type": "httpjson" }, "log": { "level": "DEBUG", "logger": "org.forgerock.opendj.ldap.CachedConnectionPool" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "process": { "name": "LDAP SDK Default Scheduler" }, "tags": [ "forwarded", "forgerock-debug", "forgerock-am-core" ] }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.context |
The context of the debug event. |
keyword |
input.type |
Input type |
keyword |
IDM_access events
editThis is the forgerock.idm_access dataset. These logs capture messages for the identity management REST endpoints and the invocation of scheduled tasks. This is the who, what, and output for every identity management access request in Identity Cloud. More information about these logs.
Example
An example event for idm_access looks as following:
{ "@timestamp": "2022-11-01T15:04:50.110Z", "agent": { "ephemeral_id": "1c6538cf-fe70-498c-8919-a60c26ffcfac", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "client": { "ip": "216.160.83.56", "port": 56278 }, "data_stream": { "dataset": "forgerock.idm_access", "namespace": "61539", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "agent_id_status": "verified", "created": "2024-06-12T03:09:02.660Z", "dataset": "forgerock.idm_access", "duration": 2000000, "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49025", "ingested": "2024-06-12T03:09:14Z", "outcome": "success", "type": [ "access" ] }, "forgerock": { "eventName": "access", "http": { "request": { "headers": { "host": [ "idm" ] }, "secure": false } }, "level": "INFO", "request": { "operation": "READ", "protocol": "CREST" }, "response": { "elapsedTime": 2, "elapsedTimeUnits": "MILLISECONDS", "status": "SUCCESSFUL" }, "roles": [ "internal/role/openidm-reg" ], "source": "audit", "topic": "access" }, "http": { "request": { "Path": "http://idm/openidm/info/ping", "method": "GET" }, "response": { "status_code": 200 } }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "server": { "ip": "81.2.69.142" }, "tags": [ "forwarded", "forgerock-audit", "forgerock-idm-access" ], "transaction": { "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49021" }, "user": { "id": "anonymous" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.eventName |
The name of the audit event. |
keyword |
forgerock.http.request.headers.host |
The host header of the HTTP request. |
keyword |
forgerock.http.request.secure |
A flag describing whether or not the HTTP request was secure. |
boolean |
forgerock.level |
The log level. |
keyword |
forgerock.request.operation |
The request operation. |
keyword |
forgerock.request.protocol |
The protocol associated with the request; REST or PLL. |
keyword |
forgerock.response.elapsedTime |
Time to execute event. |
date |
forgerock.response.elapsedTimeUnits |
Units for response time. |
keyword |
forgerock.response.status |
Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED. |
keyword |
forgerock.roles |
IDM roles associated with the request. |
keyword |
forgerock.source |
The source of the event. |
keyword |
forgerock.topic |
The topic of the event. |
keyword |
http.request.Path |
The path of the HTTP request. |
keyword |
input.type |
Input type |
keyword |
IDM_activity events
editThis is the forgerock.idm_activity dataset. These logs capture operations on internal (managed) and external (system) objects in Identity Cloud. idm-activity logs the changes to identity content, such as adding or updating users, changing passwords, etc. More information about these logs.
Example
An example event for idm_activity looks as following:
{ "@timestamp": "2022-11-01T18:02:39.882Z", "agent": { "ephemeral_id": "18f29cf6-4b37-4c4d-8d49-91bf8719e14c", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_activity", "namespace": "89179", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "agent_id_status": "verified", "created": "2024-06-12T03:09:56.979Z", "dataset": "forgerock.idm_activity", "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-268906", "ingested": "2024-06-12T03:10:08Z", "outcome": "success" }, "forgerock": { "eventName": "relationship_created", "level": "INFO", "message": "Relationship originating from managed/alpha_organization/e6df3df4-c798-4187-ba06-db8e6ae3db88 via the relationship field parent and referencing managed/alpha_organization/c4de605d-9d1b-439e-9ea8-9aba47e01008 was created.", "objectId": "managed/alpha_organization/e6df3df4-c798-4187-ba06-db8e6ae3db88/parent/bb20cd10-e6ad-48fd-8ef1-e8d4c3f7859f", "operation": "CREATE", "passwordChanged": false, "revision": "00000000478fd92b", "source": "audit", "topic": "activity" }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "tags": [ "forwarded", "forgerock-audit", "forgerock-idm-activity" ], "transaction": { "id": "1667325742545-ee41d6454a6b4a815b69-24798/0" }, "user": { "effective": { "id": "9120c7db-d7e6-4b51-b805-07bbee7a4bb9" }, "id": "9120c7db-d7e6-4b51-b805-07bbee7a4bb9" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.eventName |
The name of the audit event. |
keyword |
forgerock.level |
The log level. |
keyword |
forgerock.message |
Human readable text about the action. |
keyword |
forgerock.objectId |
Specifies the identifier of an object that has been created, updated, or deleted. |
keyword |
forgerock.operation |
The state change operation invoked. |
keyword |
forgerock.passwordChanged |
Boolean specifying whether changes were made to the password. |
boolean |
forgerock.revision |
Specifies the object revision number. |
keyword |
forgerock.source |
The source of the event. |
keyword |
forgerock.topic |
The topic of the event. |
keyword |
input.type |
Input type |
keyword |
IDM_authentication events
editThis is the forgerock.idm_authentication dataset. These logs capture the results when you authenticate to an /openidm endpoint to complete certain actions on an object. More information about these logs.
Example
An example event for idm_authentication looks as following:
{ "@timestamp": "2022-10-05T18:21:48.253Z", "agent": { "ephemeral_id": "a585941c-cf1b-4f9e-ab31-9f02ad2f3a8d", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_authentication", "namespace": "54220", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "authentication" ], "created": "2024-06-12T03:10:55.079Z", "dataset": "forgerock.idm_authentication", "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208", "ingested": "2024-06-12T03:11:07Z", "outcome": "success" }, "forgerock": { "entries": [ { "info": { "authIndex": "module_instance", "authIndexValue": "Application", "authLevel": "0", "ipAddress": "1.128.0.0" }, "moduleId": "Application" } ], "eventName": "authentication", "level": "INFO", "method": "MANAGED_USER", "principal": [ "openidm-admin" ], "result": "SUCCESSFUL", "topic": "authentication", "trackingIds": [ "45463f84-ff1b-499f-aa84-8d4bd93150de-256204" ] }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "tags": [ "forwarded", "forgerock-audit", "forgerock-idm-authentication" ], "transaction": { "id": "1664994108247-9f138d8fc9f59d23164c-26466/0" }, "user": { "id": "id=user" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.entries |
The JSON representation of the details of an authentication module, chain, tree, or node. |
flattened |
forgerock.eventName |
The name of the audit event. |
keyword |
forgerock.level |
The log level. |
keyword |
forgerock.method |
The authentication method, such as |
keyword |
forgerock.principal |
The array of accounts used to authenticate. |
keyword |
forgerock.result |
Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED. |
keyword |
forgerock.topic |
The topic of the event. |
keyword |
forgerock.trackingIds |
Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token. |
keyword |
input.type |
Input type |
keyword |
IDM_config events
editThis is the forgerock.idm_config dataset. These logs capture configuration changes to Identity Cloud with a timestamp and by whom. More information about these logs.
Example
An example event for idm_config looks as following:
{ "@timestamp": "2022-10-19T16:12:12.549Z", "agent": { "ephemeral_id": "fb37ec3d-49b8-4a56-8540-f9bf8f749477", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_config", "namespace": "74292", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "configuration" ], "created": "2024-06-12T03:11:48.197Z", "dataset": "forgerock.idm_config", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-134332", "ingested": "2024-06-12T03:12:00Z" }, "forgerock": { "changedFields": [ "/mappings" ], "eventName": "CONFIG", "level": "INFO", "objectId": "sync", "source": "audit", "topic": "config" }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "tags": [ "forwarded", "forgerock-audit", "forgerock-idm-config" ], "transaction": { "id": "1666195908296-b802a87436c00618a43e-13149/0" }, "user": { "effective": { "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf" }, "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.changedFields |
Specifies the fields that were changed. |
keyword |
forgerock.eventName |
The name of the audit event. |
keyword |
forgerock.level |
The log level. |
keyword |
forgerock.objectId |
Specifies the identifier of an object that has been created, updated, or deleted. |
keyword |
forgerock.source |
The source of the event. |
keyword |
forgerock.topic |
The topic of the event. |
keyword |
input.type |
Input type |
keyword |
IDM_core events
editThis is the forgerock.idm_core dataset. These logs capture identity management debug logs for Identity Cloud. More information about these logs.
Example
An example event for idm_core looks as following:
{ "@timestamp": "2022-12-05T20:01:34.448Z", "agent": { "ephemeral_id": "0ecd4e49-8926-4644-a9ac-e464dcb4f31c", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_core", "namespace": "52603", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "agent_id_status": "verified", "created": "2024-06-12T03:12:40.380Z", "dataset": "forgerock.idm_core", "ingested": "2024-06-12T03:12:52Z", "reason": "Dec 05, 2022 8:01:34 PM org.forgerock.openidm.internal.InternalObjectSet readInstance" }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "tags": [ "forwarded", "forgerock-debug", "forgerock-idm-core" ] }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.idm_core.message |
keyword |
|
forgerock.idm_core.name |
keyword |
|
forgerock.idm_core.target |
keyword |
|
forgerock.idm_core.type |
keyword |
|
input.type |
Input type |
keyword |
IDM_sync events
editThis is the forgerock.idm_sync dataset. These logs capture any changes made to an object resulting in automatic sync (live sync and implicit sync) to occur when you have a repository mapped to Identity Cloud. More information about these logs.
Example
An example event for idm_sync looks as following:
{ "@timestamp": "2022-10-19T16:09:17.900Z", "agent": { "ephemeral_id": "9597c9be-7da7-4082-890f-94632a9bdfed", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "forgerock.idm_sync", "namespace": "29113", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "agent_id_status": "verified", "created": "2024-06-12T03:13:33.362Z", "dataset": "forgerock.idm_sync", "id": "5e787c05-c32f-40d3-9e77-666376f6738f-130280", "ingested": "2024-06-12T03:13:45Z", "outcome": "success" }, "forgerock": { "action": "ASYNC", "eventName": "sync", "level": "INFO", "linkQualifier": "default", "mapping": "managedalpha_user_managedMarketinglist", "situation": "SOURCE_IGNORED", "source": "audit", "sourceObjectId": "managed/alpha_user/9d88b635-9b7a-48d3-9a57-1978b99a5f41", "topic": "sync" }, "input": { "type": "httpjson" }, "observer": { "vendor": "ForgeRock Identity Platform" }, "tags": [ "forwarded", "forgerock-audit", "forgerock-idm-sync" ], "transaction": { "id": "1666195747447-56a35455016b7da218a6-11991/0" }, "user": { "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf" } }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
forgerock.action |
The synchronization action, depicted as a Common REST action. |
keyword |
forgerock.eventName |
The name of the audit event. |
keyword |
forgerock.level |
The log level. |
keyword |
forgerock.linkQualifier |
ForgeRock’s link qualifier applied to the action. |
keyword |
forgerock.mapping |
Name of the mapping used for the synchronization operation. |
keyword |
forgerock.situation |
The synchronization situation as documented https://backstage.forgerock.com/docs/idm/7.2/synchronization-guide/chap-situations-actions.html#sync-situations |
keyword |
forgerock.source |
The source of the event. |
keyword |
forgerock.sourceObjectId |
Object ID on the source system. |
keyword |
forgerock.targetObjectId |
Object ID on the target system |
keyword |
forgerock.topic |
The topic of the event. |
keyword |
input.type |
Input type |
keyword |
Changelog
editChangelog
| Version | Details | Kibana version(s) |
|---|---|---|
1.21.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.20.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.20.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.19.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.18.4 |
Bug fix (View pull request) |
8.13.0 or higher |
1.18.3 |
Bug fix (View pull request) |
8.13.0 or higher |
1.18.2 |
Bug fix (View pull request) |
8.13.0 or higher |
1.18.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.18.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.17.1 |
Bug fix (View pull request) |
8.12.0 or higher |
1.17.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.16.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.15.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.14.1 |
Enhancement (View pull request) |
8.7.1 or higher |
1.14.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.13.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.12.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.11.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.10.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.9.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.8.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.7.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.6.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.5.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.4.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.3.1 |
Bug fix (View pull request) |
8.7.1 or higher |
1.3.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.2.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.1.0 |
Enhancement (View pull request) |
7.17.0 or higher |
1.0.0 |
Enhancement (View pull request) |
7.17.0 or higher |
On this page