PingAM 8.0.0

Audit logging reference

AM writes log messages generated from audit events triggered by its components, instances, and other Ping Identity Platform products.

Audit log format

This section presents the audit log format for each topic-based file, event names, and audit constants used in its log messages.

Access log format

Schema property Description

_id

A universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp

The timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2025-03-14T00:16:04.653Z

eventName

The name of the audit event. For example, AM-ACCESS-ATTEMPT and AM-ACCESS-OUTCOME. Find a list of audit event names in Audit log events.

transactionId

The UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID even for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

Trusted AM deployments with multiple instances, components, and Ping Identity Platform products can propagate the transaction ID through each call across the stack. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

user.id

The universal identifier for authenticated users. For example, id=bjensen,ou=user,o=alpha,ou=services,dc=example,dc=com.

trackingIds

A unique random string generated as an alias for each AM session ID and OAuth 2.0 token. For example, [ "45b17894529cf74301" ].

For OAuth 2.0 tokens, whenever AM generates an access or grant token, it also generates unique random value and logs it as an alias. In this way, it is possible to trace back an access token back to its originating grant token, trace the grant token back to the session in which it was created, and then trace how the session was authenticated. An example of a trackingIds property in an OAuth 2.0/OpenID Connect 1.0 environment is:

[ "1979edf68543ead001", "8878e51a-f2aa-464f-b1cc-b12fd6daa415", "3df9a5c3-8d1e-4ee3-93d6-b9bbe58163bc" ]
If the cross-upgrade session reference property is enabled, trackingIds will also contain a unique constant session identifier for session creation and upgrade events.

server.ip

The IP address of the AM server. For example, 127.0.0.1.

server.port

The port number used by the AM server. For example, 8443.

client.host

The client hostname. This field is only populated if reverse DNS lookup is enabled.

client.ip

The client IP address.

client.port

The client port number.

authorizationId.roles

The list of roles for the authorized user.

authorizationId.component

The component part of the authorized ID.

request.protocol

The protocol associated with the request operation. Possible values: CREST, PLL, SAML2.

request.operation

The request operation. For common REST operations, possible values are: READ, ACTION, QUERY.

For PLL operations, possible values are: LoginIndex, SubmitRequirements, GetSession, REQUEST_ADD_POLICY_LISTENER.

request.detail

The detailed information about the request operation. For example:

  • {"action":"idFromSession"}

  • {"action":"validateGoto"}

  • {"action":"validate"}

  • {"action":"logout"}

  • {"action":"schema"}

  • {"action":"template"}

Example values for an OAuth 2.0 app tree flow:

{ "oAuth2Client":"myClient", "configuredService":"oauth2Tree" }

Example values for an SAML 2.0 app tree flow:

{ "spEntity":"serviceprovider1", "idpEntity":"identityprovider1", "configuredService":"samlTree" }

http.method

The HTTP method requested by the client. For example, GET, POST, PUT.

http.path

The path of the HTTP request. For example, https://am.example.com:8443/am/json/realms/root/authenticate.

http.queryParameters

The HTTP query parameter string. For example:

  • { "_action": [ "idFromSession" ] }

  • { "_queryFilter": [ "true" ] }

  • { "_action": [ "validate" ] }

  • { "_action": [ "logout" ] }

  • { "realm": [ "/alpha" ] }

  • { "_action": [ "validateGoto" ] }

http.request.headers

The HTTP header for the request. For example:

{
   "accept":[
      "application/json, text/javascript, */*; q=0.01"
   ],
   "Accept-API-Version":[
      "protocol=1.0"
   ],
   "accept-encoding":[
      "gzip, deflate"
   ],
   "accept-language":[
      "en-US;q=1,en;q=0.9"
   ],
   "cache-control":[
      "no-cache"
   ],
   "connection":[
      "Keep-Alive"
   ],
   "content-length":[
      "0"
   ],
   "host":[
      "am.example.com"
   ],
   "pragma":[
      "no-cache"
   ],
   "referer":[
      "https://am.example.com/am/XUI/"
   ],
   "user-agent":[
      "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
   ],
   "x-nosession":[
      "true"
   ],
   "x-requested-with":[
      "XMLHttpRequest"
   ],
   "x-username":[
      "anonymous"
   ]
}

http.request.cookies

A JSON map of key-value pairs and appears as its own property to allow for denylisting fields or values.

http.response.cookies

Not used in AM.

response.status

The response status of the request. For example, SUCCESS, FAILURE, or null.

response.statusCode

The response status code, depending on the protocol. For common REST, HTTP failure codes are displayed but not HTTP success codes. For PLL endpoints, PLL error codes are displayed.

response.detail

The message associated with response.statusCode. For example, the response.statusCode of 401 has a response.detail of { "reason": "Unauthorized" }.

response.elapsedTime

The time to execute the access event, usually in millisecond precision.

response.elapsedTimeUnits

The elapsed time units of the response. For example, MILLISECONDS.

component

The AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth, SAML2, Web Policy Agent, or Java Policy Agent.

realm

The realm where the operation occurred. For example, the Top Level Realm (/) or the sub-realm name (/alpha).

Activity log format

Property Description

_id

A universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-487.

timestamp

The timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2025-03-14T00:16:04.652Z

eventName

The name of the audit event. For example, AM-SESSION_CREATED, AM-SESSION-LOGGED_OUT, AM-IDENTITY-CHANGE. Find a list of audit event names in Audit log events.

transactionId

The UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for same even for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

user.id

The universal identifier for authenticated users. For example, id=bjensen,ou=user,o=alpha,ou=services,dc=example,dc=com.

trackingIds

An array containing a random context ID that identifies the session and a random string generated from an OAuth 2.0/OpenID Connect 1.0 flow that could track an access token ID or an grant token ID. For example, [ "45b17894529cf74301" ].

If the cross-upgrade session reference property is enabled, trackingIds will also contain a unique constant session identifier for session creation and upgrade events.

runAs

The user to run the activity as. May be used in delegated administration. For example, id=amadmin,ou=user,ou=am-config.

objectId

The identifier of an object that has been created, updated, or deleted. For logging sessions, the session trackingId is used in this field. For example, [ "45b17894529cf74301" ]

operation

The state change operation invoked: CREATE, MODIFY, or DELETE.

before

Not used.

after

Not used.

changedFields

Not used.

revision

Not used.

component

The AM service utilized. For example, Session or Self-Service.

realm

The realm where the operation occurred. For example, the Top Level Realm (/) or the sub-realm name (/alpha).

Authentication log format

Property Description

_id

A universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-485.

timestamp

The timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2025-03-14T00:16:04.640Z

eventName

The name of the audit event. For example, AM-LOGOUT and AM-NODE-LOGIN-COMPLETED. Find a list of audit event names in Audit log events.

transactionId

The UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID even for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

user.id

The universal identifier for authenticated users. For example, id=bjensen,ou=user,o=alpha,ou=services,dc=example,dc=com.

trackingIds

An array containing a unique random context ID. For example:

  • For OAuth 2.0/OpenID Connect flows, it identifies the session and a random string generated that can track an access token ID or a grant token ID.

  • For authentication trees, it identifies an authentication tree flow.

If the cross-upgrade session reference property is enabled, trackingIds will also contain a unique constant session identifier for session creation and upgrade events.

result

The result for an authentication tree.

Possible values are SUCCESSFUL or FAILED.

principal

The array of accounts used to authenticate, such as [ "amadmin" ] and [ "bjensen" ].

context

Not used

entries

The JSON representation of the authentication tree or node details. AM creates an event as each node completes and a final event at the end of the tree. For example:

{
  "entries":[
      {
         "info":{
            "nodeOutcome":"true",
            "treeName":"Example",
            "displayName":"Data Store Decision",
            "nodeType":"DataStoreDecisionNode",
            "nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
            "authLevel":"0"
         }
      }
   ]
}

component

The AM service utilized. For example, Authentication.

realm

The realm where the operation occurred. For example, the Top Level Realm (/) or the sub-realm name (/alpha).

Config log format

Property Description

_id

A universally unique identifier (UUID) for the message object. For example, 6a568d4fe-d655-49a8-8290-bfc02095bec9-843.

timestamp

The timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example, 2025-03-14T00:21:03.490Z

eventName

The name of the audit event. For example, AM-CONFIG-CHANGE. Find a list of audit event names in Audit log events.

transactionId

The UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 301d1a6e-67f9-4e45-bfeb-5e4047a8b432.

user.id

Not used.

You can determine the value for this field by linking to the access event using the same transactionId.

trackingIds

Not used.

runAs

The user to run the activity as. May be used in delegated administration. For example, id=amadmin,ou=user,ou=am-config.

objectId

The identifier of a system object that has been created, modified, or deleted. For example, ou=iPlanetAMAuthService,ou=services,o=alpha,ou=services,dc=example,dc=com.

operation

The state change operation invoked: CREATE, MODIFY, or DELETE.

before

The JSON representation of the object prior to the activity. For example:

{
    "sunKeyValue": [
      "entryNodeId=e301438c-0bd0-429c-ab0c-66126501069a",
      "nodes={}",
      "staticNodes={}"
    ]
}

after

The JSON representation of the object after the activity. For example:

{
    "sunKeyValue": [
      "entryNodeId=8058f432-b319-410b-afbb-c532f9a111b7",
      "innerTreeOnly=false",
      "enabled=true",
      "noSession=false",
      "mustRun=false",
      "uiConfig=",
      "staticNodes={\"startNode\":{\"x\":50,\"y\":25},\"70e691a5-1e33-4ac3-a356-e7b6d60d92e0\":{\"x\":777,\"y\":377},\"e301438c-0bd0-429c-ab0c-66126501069a\":{\"x\":1087,\"y\":109}}",
      "nodes={\"4c8bb786-80c5-424b-b75f-b66e54741177\":{\"displayName\":\"Password Collector\",\"nodeType\":\"PasswordCollectorNode\",\"x\":214,\"y\":178.984375,\"connections\":{\"outcome\":\"cd0253de-f473-45fc-a431-78575c2b2a4f\"}},\"8058f432-b319-410b-afbb-c532f9a111b7\":{\"displayName\":\"Username Collector\",\"nodeType\":\"UsernameCollectorNode\",\"x\":206,\"y\":123.984375,\"connections\":{\"outcome\":\"4c8bb786-80c5-424b-b75f-b66e54741177\"}},\"cd0253de-f473-45fc-a431-78575c2b2a4f\":{\"displayName\":\"Data Store Decision\",\"nodeType\":\"DataStoreDecisionNode\",\"x\":599,\"y\":198.984375,\"connections\":{\"true\":\"70e691a5-1e33-4ac3-a356-e7b6d60d92e0\",\"false\":\"e301438c-0bd0-429c-ab0c-66126501069a\"}}}"
    ]
}

changedFields

The fields that were changed. For example, [ "nodes" ].

revision

Not used.

component

Not used.

realm

The realm where the operation occurred. For example, the Top Level Realm (/) or the sub-realm name (/alpha).

Audit log events

This table summarizes the predefined events for each topic:

Topic Event name Event description

access

AM-ACCESS_ATTEMPT

When AM starts handling an HTTP request.

access

AM-ACCESS-OUTCOME

When AM finishes handling an HTTP request.

activity

AM-BACK-CHANNEL-LOGOUT

Event for an OIDC back-channel logout.

activity

AM-CONNECTION-FACTORY-CLOSED

Event for closing a connection factory.

activity

AM-CONNECTION-UPDATE

Event for a state change for the connection factory, such as when configuration changes lead to an attempt to reconnect.

activity

AM-GROUP-CHANGE

When a group is changed.

activity

AM-IDENTITY-CHANGE

When an identity is updated, such as a change to an attribute.

activity

AM-KEY-MANAGER-RELOAD-NOTIFICATION

Key Manager reload event.

activity

AM-LOGOUT-USER-TOKEN

When a user is logged out by their username (client-side sessions only).

activity

AM-NEW-CONNECTION-FACTORY

Event for creating a new connection factory.

activity

AM-SELFSERVICE-REGISTRATION-COMPLETED

When the self-service registration process is complete.

activity

AM-SELFSERVICE-PASSWORDCHANGE-COMPLETED

When the self-service password reset process is complete.

activity

AM-SESSION-CREATED

When an authenticated session is created.

activity

AM-SESSION-DESTROYED

When an authenticated session is destroyed.

activity

AM-SESSION-IDLE_TIMED_OUT

When an authenticated session has been inactive for longer than configured idle timeout duration.

activity

AM-SESSION-LOGGED_OUT

Event for the explicit logout of an authenticated session.

activity

AM-SESSION-MAX_TIMED_OUT

When an authenticated session exceeds the maximum configured lifetime.

activity

AM-SESSION-PROPERTY_CHANGED

When an authenticated session property changes.

activity

AM-TOKEN-EXCHANGE

Event for an OAuth 2.0 token exchange.

authentication

AM-BACK-CHANNEL-INITIALIZE

Event for the initiation of a backchannel authentication request.

authentication

AM-LOGOUT

Event for an authentication process logout.

authentication

AM-NODE-LOGIN-COMPLETED

Event for the successful or failed completion of an authentication node login.

authentication

AM-TREE-LOGIN-STARTED

Logged when authentication through a tree starts. If the tree includes a node that suspends the authentication journey, this event is logged again after the suspension with a result of continue.

authentication

AM-TREE-LOGIN-COMPLETED

Logged when an authentication journey completes, whether successful or not.

  • If authentication completes successfully, the event has a result of SUCCESS.

  • If authentication fails, the event has a result of FAILED.

  • If the authentication ends in an exception (usually due to a misconfiguration in the journey), the event has a result of FAILED with the following additional field:

    exception: "An exception occurred during the authentication process"

    These exceptions let you troubleshoot logins that failed due to misconfiguration.

config

AM-BOOT-JSON-UPDATED

When the boot.json file is updated.

config

AM-CONFIG-CHANGE

When the AM configuration is updated.

Audit log components

This table lists the predefined audit event components that make up log messages:

Event component AM component, service, or feature

AM agents

Web and Java agents

Audit

Auditing service

Authentication

Authentication service

Batch

Batch service

Boot Json

Boot.json component

Config

Configuration

CORS

CORS preflight component

CTS

Core Token Service

Dashboard

Dashboard service

Devices

Trusted devices

Documentation

API documentation component

Groups

Groups component

ID Repo

ID repo event component

jato

Jato audit event component

Monitoring

Monitoring

Oath

Mobile authentication

OAuth

OAuth 2.0, OpenID Connect 1.0, and UMA

Policy

Policies

Push

Push Notification service

Radius

RADIUS server

Realms

Realms and sub-realms

Record

Recording service

SAML2

SAML v2.0

Script

Scripting service

Secrets

Secrets component

Self-Service

User Self-Service service

Service Config Cache

Service Config Cache audit event component

Server Info

Server information service

Session

Session service

ssoadm

ssoadm command

STS

REST Secure Token Service

Things

Internet of Things component

Users

Users component

Audit log fields

The following tables list all the available fields that you can use to filter audit logs. The log fields are listed in JSON notation.

Some fields may contain sensitive information and aren’t suitable for recording in audit logs. By default, AM has a preconfigured allowlist that defines which object fields can be logged.

The table indicates which fields appear on the default allowlist. If an allowlisted field contains an object, then listing the field means the whole object is allowlisted.

Access log fields

Field Allowlisted by default

/access/_id

Yes

/access/client/ip

Yes

/access/client/port

Yes

/access/access/component

/access/eventName

Yes

/access/http/request/cookies/Domain

/access/http/request/cookies/Expires

/access/http/request/cookies/HttpOnly

/access/http/request/cookies/JSESSIONID

/access/http/request/cookies/Max-Age

/access/http/request/cookies/NTID

/access/http/request/cookies/OAUTH_REQUEST_ATTRIBUTES

/access/http/request/cookies/ORIG_URL

/access/http/request/cookies/Path

/access/http/request/cookies/amlbcookie

/access/http/request/cookies/authId

/access/http/request/cookies/iPlanetDirectoryPro

/access/http/request/headers/accept

Yes

/access/http/request/headers/accept-api-version

Yes

/access/http/request/headers/accept-encoding

/access/http/request/headers/accept-language

/access/http/request/headers/authorization

/access/http/request/headers/cache-control

/access/http/request/headers/connection

/access/http/request/headers/content-length

/access/http/request/headers/content-type

Yes

/access/http/request/headers/host

Yes

/access/http/request/headers/if-match

/access/http/request/headers/if-none-match

/access/http/request/headers/iplanetdirectorypro

/access/http/request/headers/oidc_id_token

/access/http/request/headers/origin

/access/http/request/headers/referer

/access/http/request/headers/upgrade-insecure-requests

/access/http/request/headers/user-agent

Yes

/access/http/request/headers/user

/access/http/request/headers/x-forgerock-transactionid

/access/http/request/headers/x-forwarded-for

Yes

/access/http/request/headers/x-forwarded-host

Yes

/access/http/request/headers/x-forwarded-port

Yes

/access/http/request/headers/x-forwarded-proto

Yes

/access/http/request/headers/x-nosession

/access/http/request/headers/x-openam-password

/access/http/request/headers/x-openam-username

/access/http/request/headers/x-original-uri

Yes

/access/http/request/headers/x-password

/access/http/request/headers/x-real-ip

Yes

/access/http/request/headers/x-request-id

Yes

/access/http/request/headers/x-requested-with

Yes

/access/http/request/headers/x-scheme

Yes

/access/http/request/headers/x-username

/access/http/request/method

Yes

/access/http/request/path

Yes

/access/http/request/queryParameters/ForceAuth

/access/http/request/queryParameters/_action

/access/http/request/queryParameters/_fields

/access/http/request/queryParameters/_pageSize

/access/http/request/queryParameters/_queryFilter

/access/http/request/queryParameters/_queryId

/access/http/request/queryParameters/access_token

/access/http/request/queryParameters/acr

/access/http/request/queryParameters/agent_realm

/access/http/request/queryParameters/assertion

/access/http/request/queryParameters/authIndexType

Yes

/access/http/request/queryParameters/authIndexValue

Yes

/access/http/request/queryParameters/client_id

/access/http/request/queryParameters/client_secret

/access/http/request/queryParameters/cnf_key

/access/http/request/queryParameters/code

/access/http/request/queryParameters/code_challenge

/access/http/request/queryParameters/code_challenge_method

/access/http/request/queryParameters/code_verifier

/access/http/request/queryParameters/composite_advice

Yes

/access/http/request/queryParameters/csrf

/access/http/request/queryParameters/decision

/access/http/request/queryParameters/device_code

/access/http/request/queryParameters/forUI

/access/http/request/queryParameters/goto

/access/http/request/queryParameters/grant_type

/access/http/request/queryParameters/id_token

/access/http/request/queryParameters/iss

/access/http/request/queryParameters/level

Yes

/access/http/request/queryParameters/nonce

/access/http/request/queryParameters/oauth_token

/access/http/request/queryParameters/oauth_verifier

/access/http/request/queryParameters/password

/access/http/request/queryParameters/prompt

/access/http/request/queryParameters/realm

/access/http/request/queryParameters/redirect_uri

/access/http/request/queryParameters/refresh_token

/access/http/request/queryParameters/rel

/access/http/request/queryParameters/request

/access/http/request/queryParameters/resource

Yes

/access/http/request/queryParameters/response_type

/access/http/request/queryParameters/role

Yes

/access/http/request/queryParameters/save_consent

/access/http/request/queryParameters/scope

/access/http/request/queryParameters/service

Yes

/access/http/request/queryParameters/sessionUpgradeSSOTokenId

/access/http/request/queryParameters/state

/access/http/request/queryParameters/token

/access/http/request/queryParameters/user

Yes

/access/http/request/queryParameters/user_code

/access/http/request/queryParameters/username

/access/http/request/secure

Yes

/access/realm

/access/request/detail/action

Yes

/access/request/operation

Yes

/access/request/protocol

Yes

/access/response/detail/active

Yes

/access/response/detail/application_type

Yes

/access/response/detail/client_id

Yes

/access/response/detail/objectId

Yes

/access/response/detail/reason

Yes

/access/response/detail/redirect_uris

Yes

/access/response/detail/revision

Yes

/access/response/detail/scope

Yes

/access/response/detail/scope

Yes

/access/response/detail/token_type

Yes

/access/response/detail/username

Yes

/access/response/elapsedTime

Yes

/access/response/elapsedTimeUnits

Yes

/access/response/status

Yes

/access/response/statusCode

Yes

/access/server/ip

Yes

/access/server/port

Yes

/access/timestamp

Yes

/access/trackingIds

Yes

/access/transactionId

Yes

/access/userId

Yes

Activity log fields

Field Allowlisted by default

/activity/_id

Yes

/activity/after/_id

/activity/after/_username

/activity/after/assignedDashboard

Yes

/activity/after/cn

Yes

/activity/after/commonName

Yes

/activity/after/createTimestamp

/activity/after/dn

/activity/after/givenName

Yes

/activity/after/inetUserStatus

Yes

/activity/after/iplanet-am-session-max-caching-time

/activity/after/iplanet-am-session-max-idle-time

/activity/after/iplanet-am-session-max-session-time

/activity/after/iplanet-am-session-quota-limit

/activity/after/iplanet-am-user-alias-list

Yes

/activity/after/iplanet-am-user-login-status

Yes

/activity/after/kbaInfo

/activity/after/kbaInfoAttempts

Yes

/activity/after/lastEmailSent

/activity/after/mail

/activity/after/memberof

Yes

/activity/after/modifyTimestamp

/activity/after/o

Yes

/activity/after/oath2faEnabled

Yes

/activity/after/oathDeviceProfiles

/activity/after/objectClass

Yes

/activity/after/organizationName

Yes

/activity/after/organizationUnitName

Yes

/activity/after/ou

Yes

/activity/after/push2faEnabled

Yes

/activity/after/pushDeviceProfiles

/activity/after/sn

Yes

/activity/after/sunAMAuthInvalidAttemptsData

Yes

/activity/after/surname

Yes

/activity/after/uid

Yes

/activity/after/uniqueMember

Yes

/activity/after/userid

Yes

/activity/after/userPassword

/activity/after/webauthnDeviceProfiles

/activity/before/assignedDashboard

Yes

/activity/before/cn

Yes

/activity/before/commonName

Yes

/activity/before/givenName

Yes

/activity/before/inetUserStatus

Yes

/activity/before/iplanet-am-session-max-caching-time

/activity/before/iplanet-am-session-max-idle-time

/activity/before/iplanet-am-session-max-session-time

/activity/before/iplanet-am-session-quota-limit

/activity/before/iplanet-am-user-alias-list

Yes

/activity/before/iplanet-am-user-login-status

Yes

/activity/before/kbaInfo

/activity/before/kbaInfoAttempts

Yes

/activity/before/lastEmailSent

/activity/before/memberof

Yes

/activity/before/modifyTimestamp

/activity/before/o

Yes

/activity/before/oath2faEnabled

Yes

/activity/before/objectClass

Yes

/activity/before/organizationName

Yes

/activity/before/organizationUnitName

Yes

/activity/before/ou

Yes

/activity/before/push2faEnabled

Yes

/activity/before/sn

Yes

/activity/before/sunAMAuthInvalidAttemptsData

Yes

/activity/before/surname

Yes

/activity/before/uid

Yes

/activity/before/uniqueMember

Yes

/activity/before/userid

Yes

/activity/before/userPassword

/activity/changedFields

Yes

/activity/component

Yes

/activity/eventName

Yes

/activity/objectId

Yes

/activity/operation

Yes

/activity/realm

Yes

/activity/revision

Yes

/activity/runAs

Yes

/activity/timestamp

Yes

/activity/trackingIds

Yes

/activity/transactionId

Yes

/activity/userId

Yes

Authentication log fields

Field Allowlisted by default

/authentication/

Yes

Config log fields

Field Allowlisted by default

/config/_id

Yes

/config/after/modifytimestamp

/config/after/objectclass

/config/after/ou

/config/after/sunKeyValue

/config/after/sunserviceID

/config/after/sunsmspriority

/config/after/sunxmlKeyValue

/config/before/modifytimestamp

/config/before/objectclass

/config/before/ou

/config/before/sunKeyValue

/config/before/sunserviceID

/config/before/sunsmspriority

/config/before/sunxmlKeyValue

/config/changedFields

Yes

/config/component

Yes

/config/eventName

Yes

/config/objectId

Yes

/config/operation

Yes

/config/realm

Yes

/config/revision

Yes

/config/runAs

Yes

/config/timestamp

Yes

/config/trackingIds

Yes

/config/transactionId

Yes

/config/userId

JDBC audit log tables

AM writes audit events to relational databases using the JDBC audit event handler. This section presents the columns for each audit table.

am_auditaccess

Column Datatype Description

id

VARCHAR(56) NOT NULL

A universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_

VARCHAR(29) NULL

The timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2025-03-14T00:16:04.653Z

transactionid

VARCHAR(255) NULL

The UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

Trusted AM deployments with multiple instances, components, and Ping Identity Platform products can propagate a transaction ID through each call across the platform. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventname

VARCHAR(255)

The name of the audit event. For example, AM-ACCESS-ATTEMPT and AM-ACCESS-OUTCOME. Find a list of audit event names in Audit log events.

userid

VARCHAR(255) NULL

The universal identifier for the authenticated user. For example, id=bjensen,ou=user,o=alpha,ou=services,dc=example,dc=com.

trackingids

MEDIUMTEXT

The tracking IDs of the event, used by all topics.

server_ip

VARCHAR(40)

The IP address of the AM server.

server_port

VARCHAR(5)

The port number used by the AM server. For example, 8443.

client_host

VARCHAR(255)

The client hostname. This column is only populated if reverse DNS lookup is enabled.

client_ip

VARCHAR(40)

The client IP address.

client_port

VARCHAR(5)

The client port number.

request_protocol

VARCHAR(255) NULL

The protocol associated with the request operation. Possible values: CREST and PLL.

request_operation

VARCHAR(255) NULL

The request operation.

For common REST operations, possible values: READ, ACTION, QUERY.

For PLL operations, possible values: LoginIndex, SubmitRequirements, GetSession, REQUEST_ADD_POLICY_LISTENER.

request_detail

TEXT NULL

The detailed information about the request operation. For example:

  • {"action":"idFromSession"}

  • {"action":"validateGoto"}

  • {"action":"validate"}

  • {"action":"logout"}

  • {"action":"schema"}

  • {"action":"template"}

http_request_secure

BOOLEAN NULL

The HTTP method requested by the client. For example, true or false. Note that false does not mean the client connection is insecure as there may be a reverse proxy terminating the HTTPS connection.

http_request_method

VARCHAR(7) NULL

The HTTP method requested by the client. For example, GET, POST, PUT.

http_request_path

VARCHAR(255) NULL

The path of the HTTP request. For example, https://am.example.com:8443/am/json/realms/root/authenticate.

http_request_queryparameters

MEDIUMTEXT NULL

The HTTP query parameter string. For example:

  • { "_action": [ "idFromSession" ] }

  • { "_queryFilter": [ "true" ] }

  • { "_action": [ "validate" ] }

  • { "_action": [ "logout" ] }

  • { "realm": [ "/alpha" ] }

  • { "_action": [ "validateGoto" ] }

http_request_headers

MEDIUMTEXT NULL

The HTTP headers for the request. For example:

{
   "accept":[
      "application/json, text/javascript, */*; q=0.01"
   ],
   "Accept-API-Version":[
      "protocol=1.0"
   ],
   "accept-encoding":[
      "gzip, deflate"
   ],
   "accept-language":[
      "en-US;q=1,en;q=0.9"
   ],
   "cache-control":[
      "no-cache"
   ],
   "connection":[
      "Keep-Alive"
   ],
   "content-length":[
      "0"
   ],
   "host":[
      "am.example.com"
   ],
   "pragma":[
      "no-cache"
   ],
   "referer":[
      "https://am.example.com/am/XUI/"
   ],
   "user-agent":[
      "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
   ],
   "x-nosession":[
      "true"
   ],
   "x-requested-with":[
      "XMLHttpRequest"
   ],
   "x-username":[
      "anonymous"
   ]
}

http_request_cookies

MEDIUMTEXT NULL

A JSON map of key-value pairs and appears as its own property to allow for denylisting fields or values. For example:

"cookies": "amlbcookie=01;
iPlanetDirectoryPro=\"AQIC5wM2LY....*AAJTSQACMfwT...*\";
iPlanetDirectoryPro=eyJ0eXAiOiJK....eyJzdWIiOiJkZ..."

The line feeds and truncated values in the example are for readability purposes.

http_response_headers

MEDIUMTEXT NULL

Captures the headers returned by AM to the client (that is, the inverse of http_request_headers). AM doesn’t currently populate this field.

response_status

VARCHAR(10) NULL

The response status of the request. For example, SUCCESS, FAILURE, ALLOWED, DENIED, or NULL.

response_statuscode

VARCHAR(255) NULL

The response status code, depending on the protocol.

For common REST, HTTP failure codes are displayed but not HTTP success codes.

For PLL endpoints, PLL error codes are displayed.

response_detail

TEXT NULL

The message associated with the response status code. For example, a response status code of 401 has a response detail of { "reason": "Unauthorized" }.

response_elapsedtime

VARCHAR(255) NULL

The time to execute the access event, usually in millisecond precision.

response_elapsedtimeunits

VARCHAR(255) NULL

The elapsed time units of the response. For example, MILLISECONDS.

component

VARCHAR(255) NULL

The AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realm

VARCHAR(255) NULL

The realm where the operation occurred. For example, the Top Level Realm (/) or the sub-realm name (/alpha).

am_auditauthentication

Column Datatype Description

id

VARCHAR(56) NOT NULL

A universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_

VARCHAR(29) NULL

The timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2025-03-14T00:16:04.653Z

transactionid

VARCHAR(255) NULL

The UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

Trusted AM deployments with multiple instances, components, and Ping Identity Platform products can propagate a transaction ID through each call across the platform. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventname

VARCHAR(255) NULL

The name of the audit event. For example, AM-NODE-LOGIN-COMPLETED and AM-LOGOUT. Find a list of audit event names in Audit log events.

userid

VARCHAR(255) NULL

The universal identifier for authenticated users. For example, id=bjensen,ou=user,o=alpha,ou=services,dc=example,dc=com.

trackingids

MEDIUMTEXT

The tracking IDs of the event, used by all topics.

result

VARCHAR(255) NULL

The result for an authentication tree.

Possible values are SUCCESSFUL or FAILED.

principals

MEDIUMTEXT

The array of accounts used to authenticate, such as [ "amadmin" ] and [ "bjensen" ].

context

MEDIUMTEXT

Not used.

entries

MEDIUMTEXT

The JSON representation of the authentication tree or node details. AM creates an event as each node completes and a final event at the end of the tree. For example:

{
  "entries":[
      {
         "info":{
            "nodeOutcome":"true",
            "treeName":"Example",
            "displayName":"Data Store Decision",
            "nodeType":"DataStoreDecisionNode",
            "nodeId":"e5ec495a-2ae2-4eca-8afb-9781dea04170",
            "authLevel":"0"
         }
      }
   ]
}

component

VARCHAR(255) NULL

The AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realm

VARCHAR(255) NULL

The realm where the operation occurred. For example, the Top Level Realm (/) or the sub-realm name (/alpha).

am_auditactivity

Column Datatype Description

id

VARCHAR(56) NOT NULL

A universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_

VARCHAR(29) NOT NULL

The timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2025-03-14T00:16:04.653Z

transactionid

VARCHAR(255) NULL

The UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

Trusted AM deployments with multiple instances, components, and Ping Identity Platform products can propagate a transaction ID through each call across the platform. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventname

VARCHAR(255) NULL

The name of the audit event. For example, AM-SESSION-CREATED and AM-SESSION-DESTROYED. Find a list of audit event names in Audit log events.

userid

VARCHAR(255) NULL

The universal identifier for authenticated users. For example, id=bjensen,ou=user,o=alpha,ou=services,dc=example,dc=com.

trackingids

MEDIUMTEXT

The tracking IDs of the event, used by all topics.

runas

VARCHAR(255) NULL

The user to run the activity as. May be used in delegated administration. For example, id=amadmin,ou=user,ou=am-config.

objectid

VARCHAR(255) NULL

The identifier of a system object that has been created, modified, or deleted. For example, ou=iPlanetAMAuthService,ou=services,o=alpha,ou=services,dc=example,dc=com.

operation

VARCHAR(255) NULL

The state change operation invoked: CREATE, MODIFY, or DELETE.

beforeObject

MEDIUMTEXT NULL

The JSON representation of the object prior to the activity. For example:

{
    "sunKeyValue": [
      "entryNodeId=e301438c-0bd0-429c-ab0c-66126501069a",
      "nodes={}",
      "staticNodes={}"
    ]
}

afterObject

MEDIUMTEXT NULL

The JSON representation of the object after the activity. For example:

{
    "sunKeyValue": [
      "entryNodeId=8058f432-b319-410b-afbb-c532f9a111b7",
      "innerTreeOnly=false",
      "enabled=true",
      "noSession=false",
      "mustRun=false",
      "uiConfig=",
      "staticNodes={\"startNode\":{\"x\":50,\"y\":25},\"70e691a5-1e33-4ac3-a356-e7b6d60d92e0\":{\"x\":777,\"y\":377},\"e301438c-0bd0-429c-ab0c-66126501069a\":{\"x\":1087,\"y\":109}}",
      "nodes={\"4c8bb786-80c5-424b-b75f-b66e54741177\":{\"displayName\":\"Password Collector\",\"nodeType\":\"PasswordCollectorNode\",\"x\":214,\"y\":178.984375,\"connections\":{\"outcome\":\"cd0253de-f473-45fc-a431-78575c2b2a4f\"}},\"8058f432-b319-410b-afbb-c532f9a111b7\":{\"displayName\":\"Username Collector\",\"nodeType\":\"UsernameCollectorNode\",\"x\":206,\"y\":123.984375,\"connections\":{\"outcome\":\"4c8bb786-80c5-424b-b75f-b66e54741177\"}},\"cd0253de-f473-45fc-a431-78575c2b2a4f\":{\"displayName\":\"Data Store Decision\",\"nodeType\":\"DataStoreDecisionNode\",\"x\":599,\"y\":198.984375,\"connections\":{\"true\":\"70e691a5-1e33-4ac3-a356-e7b6d60d92e0\",\"false\":\"e301438c-0bd0-429c-ab0c-66126501069a\"}}}"
    ]
}

changedfields

VARCHAR(255) NULL

The columns that were changed. For example, [ "nodes" ].

rev

VARCHAR(255) NULL

Not used.

component

VARCHAR(255) NULL

The AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realm

VARCHAR(255) NULL

The realm where the operation occurred. For example, the Top Level Realm (/) or the sub-realm name (/alpha).

am_auditconfig

Column Datatype Description

id

VARCHAR(56) NOT NULL

A universally unique identifier (UUID) for the message object, such as a568d4fe-d655-49a8-8290-bfc02095bec9-491.

timestamp_

VARCHAR(29) NULL

The timestamp when AM logged the message, in UTC format to millisecond precision: yyyy-MM-ddTHH:mm:ss.msZ. For example: 2025-03-14T00:16:04.653Z

transactionid

VARCHAR(255) NULL

The UUID of the transaction, which identifies an external request when it comes into the system boundary. Any events generated while handling that request will be assigned that transaction ID, so that you may see the same transaction ID for different audit event topics. For example, 9c9e8d5c-2941-4e61-9c3c-8a990088e801.

Trusted AM deployments with multiple instances, components, and Ping Identity Platform products can propagate a transaction ID through each call across the platform. AM reads the X-ForgeRock-TransactionId HTTP header and appends an integer to the transaction ID. Note that this feature is disabled by default. When enabled, this feature should filter the X-ForgeRock-TransactionId HTTP header for connections from untrusted sources.

eventname

VARCHAR(255) NULL

The name of the audit event. For example, AM-CONFIG-CHANGE. Find a list of audit event names in Audit log events.

userid

VARCHAR(255) NULL

The universal identifier for authenticated users. For example, id=bjensen,ou=user,o=alpha,ou=services,dc=example,dc=com.

trackingids

MEDIUMTEXT

The tracking IDs of the event, used by all topics.

runas

VARCHAR(255) NULL

The user to run the activity as. May be used in delegated administration. For example, id=amadmin,ou=user,ou=am-config.

objectid

VARCHAR(255) NULL

The identifier of a system object that has been created, modified, or deleted. For example, ou=iPlanetAMAuthService,ou=services,o=alpha,ou=services,dc=example,dc=com.

operation

VARCHAR(255) NULL

The state change operation invoked: CREATE, MODIFY, or DELETE.

beforeObject

MEDIUMTEXT NULL

The JSON representation of the object prior to the activity. For example:

{
    "sunKeyValue": [
      "entryNodeId=e301438c-0bd0-429c-ab0c-66126501069a",
      "nodes={}",
      "staticNodes={}"
    ]
}

afterObject

MEDIUMTEXT NULL

The JSON representation of the object after the activity. For example:

{
    "sunKeyValue": [
      "entryNodeId=8058f432-b319-410b-afbb-c532f9a111b7",
      "innerTreeOnly=false",
      "enabled=true",
      "noSession=false",
      "mustRun=false",
      "uiConfig=",
      "staticNodes={\"startNode\":{\"x\":50,\"y\":25},\"70e691a5-1e33-4ac3-a356-e7b6d60d92e0\":{\"x\":777,\"y\":377},\"e301438c-0bd0-429c-ab0c-66126501069a\":{\"x\":1087,\"y\":109}}",
      "nodes={\"4c8bb786-80c5-424b-b75f-b66e54741177\":{\"displayName\":\"Password Collector\",\"nodeType\":\"PasswordCollectorNode\",\"x\":214,\"y\":178.984375,\"connections\":{\"outcome\":\"cd0253de-f473-45fc-a431-78575c2b2a4f\"}},\"8058f432-b319-410b-afbb-c532f9a111b7\":{\"displayName\":\"Username Collector\",\"nodeType\":\"UsernameCollectorNode\",\"x\":206,\"y\":123.984375,\"connections\":{\"outcome\":\"4c8bb786-80c5-424b-b75f-b66e54741177\"}},\"cd0253de-f473-45fc-a431-78575c2b2a4f\":{\"displayName\":\"Data Store Decision\",\"nodeType\":\"DataStoreDecisionNode\",\"x\":599,\"y\":198.984375,\"connections\":{\"true\":\"70e691a5-1e33-4ac3-a356-e7b6d60d92e0\",\"false\":\"e301438c-0bd0-429c-ab0c-66126501069a\"}}}"
    ]
}

changedfields

VARCHAR(255) NULL

The columns that were changed. For example, [ "nodes" ].

rev

VARCHAR(255)

Not used.

component

VARCHAR(255) NULL

The AM service utilized. For example, Server Info, Users, Config, Session, Authentication, Policy, OAuth.

realm

VARCHAR(255) NULL

The realm where the operation occurred. For example, the Top Level Realm (/) or the sub-realm name (/alpha).