ForgeRock Identity Platform

edit

ForgeRock Identity Platform

edit

Version

1.19.0 (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

ForgeRock is a modern identity platform which helps organizations radically simplify identity and access management (IAM) and identity governance and administration (IGA). The ForgeRock integration collects audit logs from the API.

Configuration

edit

Authorization parameters for the ForgeRock Identity Cloud API (API Key ID, and API Key Secret) can be created in the Identity Cloud admin UI.

Logs

edit

AM_Access events

edit

This is the forgerock.am_access dataset. These logs capture all incoming Identity Cloud access calls as audit events. This includes who, what, when, and the output for every access request. More information about these logs.

Example

An example event for am_access looks as following:

{
    "@timestamp": "2022-11-06T18:16:43.813Z",
    "agent": {
        "ephemeral_id": "82b02cc6-7222-4ccc-b7f4-4c1c55315484",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_access",
        "namespace": "51919",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "AM-SESSION-IDLE_TIMED_OUT",
        "agent_id_status": "verified",
        "created": "2024-06-12T03:05:10.979Z",
        "dataset": "forgerock.am_access",
        "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-79599",
        "ingested": "2024-06-12T03:05:14Z",
        "type": [
            "access"
        ]
    },
    "forgerock": {
        "eventName": "AM-SESSION-IDLE_TIMED_OUT",
        "level": "INFO",
        "objectId": "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901",
        "realm": "/",
        "source": "audit",
        "topic": "activity",
        "trackingIds": [
            "688b24d9-968e-4a20-b471-9bd78f1e46ec-13901"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "service": {
        "name": "Session"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-am-access"
    ],
    "transaction": {
        "id": "688b24d9-968e-4a20-b471-9bd78f1e46ec-1"
    },
    "user": {
        "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.eventName

The name of the audit event.

keyword

forgerock.http.request.headers.*

The headers of the HTTP request.

object

forgerock.http.request.headers.accept

The accept parameter for the request.

keyword

forgerock.http.request.headers.accept-api-version

The accept-api-version header of the HTTP request.

keyword

forgerock.http.request.headers.content-type

The content-type header of the HTTP request.

keyword

forgerock.http.request.headers.host

The host header of the HTTP request.

keyword

forgerock.http.request.headers.origin

The origin header of the HTTP request.

keyword

forgerock.http.request.headers.user-agent

The user-agent header of the HTTP request.

keyword

forgerock.http.request.headers.x-forwarded-for

The x-forwarded-for header of the HTTP request.

keyword

forgerock.http.request.headers.x-forwarded-proto

The x-forwaded-proto header of the HTTP request.

keyword

forgerock.http.request.headers.x-requested-with

The x-requested with header of the HTTP request.

keyword

forgerock.http.request.queryParameters.*

The query parameter string of the HTTP request.

object

forgerock.http.request.secure

A flag describing whether or not the HTTP request was secure.

boolean

forgerock.level

The log level.

keyword

forgerock.objectId

Specifies the identifier of an object that has been created, updated, or deleted.

keyword

forgerock.realm

The realm where the operation occurred.

keyword

forgerock.request.detail.*

Details around the response status.

object

forgerock.request.detail.action

Details around the request action.

keyword

forgerock.request.detail.grant_type

The request’s grant type.

keyword

forgerock.request.detail.scope

The request’s scope.

keyword

forgerock.request.detail.token_type_hint

The request’s token type.

keyword

forgerock.request.operation

The request operation.

keyword

forgerock.request.protocol

The protocol associated with the request; REST or PLL.

keyword

forgerock.response.detail.*

Details around the response status.

object

forgerock.response.detail.active

A flag for whether or not the response was active.

boolean

forgerock.response.detail.client_id

The responses’s client id.

keyword

forgerock.response.detail.revision

The responses’s revision.

keyword

forgerock.response.detail.scope

The responses’s scope.

keyword

forgerock.response.detail.token_type

The responses’s token type.

keyword

forgerock.response.detail.username

The responses’s username.

keyword

forgerock.response.elapsedTime

Time to execute event.

date

forgerock.response.elapsedTimeUnits

Units for response time.

keyword

forgerock.response.status

Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED.

keyword

forgerock.roles

IDM roles associated with the request.

keyword

forgerock.source

The source of the event.

keyword

forgerock.topic

The topic of the event.

keyword

forgerock.trackingIds

Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.

keyword

http.request.Path

The path of the HTTP request.

keyword

input.type

Input type

keyword

AM_Activity events

edit

This is the forgerock.am_activity dataset. These logs capture state changes to objects that have been created, updated, or deleted by Identity Cloud end users. This includes session, user profile, and device profile changes. More information about these logs.

Example

An example event for am_activity looks as following:

{
    "@timestamp": "2022-10-05T20:55:59.966Z",
    "agent": {
        "ephemeral_id": "9db3f780-4230-43f5-832f-203266705932",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_activity",
        "namespace": "71478",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "AM-SESSION-CREATED",
        "agent_id_status": "verified",
        "created": "2024-06-12T03:05:53.025Z",
        "dataset": "forgerock.am_activity",
        "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-438366",
        "ingested": "2024-06-12T03:05:57Z",
        "reason": "CREATE"
    },
    "forgerock": {
        "level": "INFO",
        "objectId": "45463f84-ff1b-499f-aa84-8d4bd93150de-438033",
        "realm": "/",
        "source": "audit",
        "topic": "activity",
        "trackingIds": [
            "45463f84-ff1b-499f-aa84-8d4bd93150de-438033"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "service": {
        "name": "Session"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-am-activity"
    ],
    "transaction": {
        "id": "5ff83988-8f23-4108-9359-42658fcfc4d1-request-3/0"
    },
    "user": {
        "effective": {
            "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config"
        },
        "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.after.*

Specifies the JSON representation of the object after the activity.

object

forgerock.before.*

Specifies the JSON representation of the object prior to the activity.

object

forgerock.changedFields

Specifies the fields that were changed.

keyword

forgerock.eventName

The name of the audit event.

keyword

forgerock.level

The log level.

keyword

forgerock.objectId

Specifies the identifier of an object that has been created, updated, or deleted.

keyword

forgerock.realm

The realm where the operation occurred.

keyword

forgerock.source

The source of the event.

keyword

forgerock.topic

The topic of the event.

keyword

forgerock.trackingIds

Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.

keyword

input.type

Input type

keyword

AM_Authentication events

edit

This is the forgerock.am_authentication dataset. These logs capture when and how a user is authenticated and related audit events. More information about these logs.

Example

An example event for am_authentication looks as following:

{
    "@timestamp": "2022-10-05T18:21:48.253Z",
    "agent": {
        "ephemeral_id": "2ffe10cc-935a-4457-869f-95b732cb0c8b",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_authentication",
        "namespace": "88343",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "AM-LOGIN-COMPLETED",
        "agent_id_status": "verified",
        "category": [
            "authentication"
        ],
        "created": "2024-06-12T03:06:40.162Z",
        "dataset": "forgerock.am_authentication",
        "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208",
        "ingested": "2024-06-12T03:06:44Z",
        "outcome": "success"
    },
    "forgerock": {
        "entries": [
            {
                "info": {
                    "authIndex": "module_instance",
                    "authIndexValue": "Application",
                    "authLevel": "0",
                    "ipAddress": "1.128.0.0"
                },
                "moduleId": "Application"
            }
        ],
        "eventName": "AM-LOGIN-COMPLETED",
        "level": "INFO",
        "principal": [
            "autoid-resource-server"
        ],
        "realm": "/",
        "source": "audit",
        "topic": "authentication",
        "trackingIds": [
            "45463f84-ff1b-499f-aa84-8d4bd93150de-256204"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "service": {
        "name": "Authentication"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-am-authentication"
    ],
    "transaction": {
        "id": "1664994108247-9f138d8fc9f59d23164c-26466/0"
    },
    "user": {
        "id": "id=autoid-resource-server,ou=agent,ou=am-config"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.entries

The JSON representation of the details of an authentication module, chain, tree, or node.

flattened

forgerock.eventName

The name of the audit event.

keyword

forgerock.level

The log level.

keyword

forgerock.principal

The array of accounts used to authenticate.

keyword

forgerock.realm

The realm where the operation occurred.

keyword

forgerock.source

The source of the event.

keyword

forgerock.topic

The topic of the event.

keyword

forgerock.trackingIds

Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.

keyword

input.type

Input type

keyword

AM_Config events

edit

This is the forgerock.am_config dataset. These logs capture access management configuration changes for Identity Cloud with a timestamp and by whom. More information about these logs.

Example

An example event for am_config looks as following:

{
    "@timestamp": "2022-09-20T14:40:10.664Z",
    "agent": {
        "ephemeral_id": "4afe06fa-469e-40e2-babb-b30baf137536",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_config",
        "namespace": "65246",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "AM-CONFIG-CHANGE",
        "agent_id_status": "verified",
        "category": [
            "configuration"
        ],
        "created": "2024-06-12T03:07:28.334Z",
        "dataset": "forgerock.am_config",
        "id": "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-20605",
        "ingested": "2024-06-12T03:07:31Z"
    },
    "forgerock": {
        "level": "INFO",
        "objectId": "ou=test,ou=agentgroup,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,o=alpha,ou=services,ou=am-config",
        "operation": "CREATE",
        "realm": "/alpha",
        "source": "audit",
        "topic": "config",
        "trackingIds": [
            "4e8550cd-71d6-4a08-b5b0-bb63bcbbc960-5563"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-am-config"
    ],
    "transaction": {
        "id": "1663684810619-c42f8145dec437c43428-2465/0"
    },
    "user": {
        "effective": {
            "id": "id=dsameuser,ou=user,ou=am-config"
        },
        "id": "id=d7cd65bf-743c-4753-a78f-a20daae7e3bf,ou=user,ou=am-config"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.changedFields

Specifies the fields that were changed.

keyword

forgerock.eventName

The name of the audit event.

keyword

forgerock.level

The log level.

keyword

forgerock.objectId

Specifies the identifier of an object that has been created, updated, or deleted.

keyword

forgerock.operation

The state change operation invoked.

keyword

forgerock.realm

The realm where the operation occurred.

keyword

forgerock.source

The source of the event.

keyword

forgerock.topic

The topic of the event.

keyword

forgerock.trackingIds

Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.

keyword

input.type

Input type

keyword

AM_Core events

edit

This is the forgerock.am_core dataset. These logs capture access management debug logs for Identity Cloud. More information about these logs.

Example

An example event for am_core looks as following:

{
    "@timestamp": "2022-12-05T19:29:20.845Z",
    "agent": {
        "ephemeral_id": "b802141d-9281-4caa-bb31-d5561f968ee5",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.am_core",
        "namespace": "90018",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:08:15.631Z",
        "dataset": "forgerock.am_core",
        "ingested": "2024-06-12T03:08:19Z",
        "reason": "Connection attempt failed: availableConnections=0, maxPoolSize=10"
    },
    "forgerock": {
        "context": "default"
    },
    "input": {
        "type": "httpjson"
    },
    "log": {
        "level": "DEBUG",
        "logger": "org.forgerock.opendj.ldap.CachedConnectionPool"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "process": {
        "name": "LDAP SDK Default Scheduler"
    },
    "tags": [
        "forwarded",
        "forgerock-debug",
        "forgerock-am-core"
    ]
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.context

The context of the debug event.

keyword

input.type

Input type

keyword

IDM_access events

edit

This is the forgerock.idm_access dataset. These logs capture messages for the identity management REST endpoints and the invocation of scheduled tasks. This is the who, what, and output for every identity management access request in Identity Cloud. More information about these logs.

Example

An example event for idm_access looks as following:

{
    "@timestamp": "2022-11-01T15:04:50.110Z",
    "agent": {
        "ephemeral_id": "1c6538cf-fe70-498c-8919-a60c26ffcfac",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "client": {
        "ip": "216.160.83.56",
        "port": 56278
    },
    "data_stream": {
        "dataset": "forgerock.idm_access",
        "namespace": "61539",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:09:02.660Z",
        "dataset": "forgerock.idm_access",
        "duration": 2000000,
        "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49025",
        "ingested": "2024-06-12T03:09:14Z",
        "outcome": "success",
        "type": [
            "access"
        ]
    },
    "forgerock": {
        "eventName": "access",
        "http": {
            "request": {
                "headers": {
                    "host": [
                        "idm"
                    ]
                },
                "secure": false
            }
        },
        "level": "INFO",
        "request": {
            "operation": "READ",
            "protocol": "CREST"
        },
        "response": {
            "elapsedTime": 2,
            "elapsedTimeUnits": "MILLISECONDS",
            "status": "SUCCESSFUL"
        },
        "roles": [
            "internal/role/openidm-reg"
        ],
        "source": "audit",
        "topic": "access"
    },
    "http": {
        "request": {
            "Path": "http://idm/openidm/info/ping",
            "method": "GET"
        },
        "response": {
            "status_code": 200
        }
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "server": {
        "ip": "81.2.69.142"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-access"
    ],
    "transaction": {
        "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-49021"
    },
    "user": {
        "id": "anonymous"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.eventName

The name of the audit event.

keyword

forgerock.http.request.headers.host

The host header of the HTTP request.

keyword

forgerock.http.request.secure

A flag describing whether or not the HTTP request was secure.

boolean

forgerock.level

The log level.

keyword

forgerock.request.operation

The request operation.

keyword

forgerock.request.protocol

The protocol associated with the request; REST or PLL.

keyword

forgerock.response.elapsedTime

Time to execute event.

date

forgerock.response.elapsedTimeUnits

Units for response time.

keyword

forgerock.response.status

Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED.

keyword

forgerock.roles

IDM roles associated with the request.

keyword

forgerock.source

The source of the event.

keyword

forgerock.topic

The topic of the event.

keyword

http.request.Path

The path of the HTTP request.

keyword

input.type

Input type

keyword

IDM_activity events

edit

This is the forgerock.idm_activity dataset. These logs capture operations on internal (managed) and external (system) objects in Identity Cloud. idm-activity logs the changes to identity content, such as adding or updating users, changing passwords, etc. More information about these logs.

Example

An example event for idm_activity looks as following:

{
    "@timestamp": "2022-11-01T18:02:39.882Z",
    "agent": {
        "ephemeral_id": "18f29cf6-4b37-4c4d-8d49-91bf8719e14c",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_activity",
        "namespace": "89179",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:09:56.979Z",
        "dataset": "forgerock.idm_activity",
        "id": "a9a32d9e-7029-45e6-b581-eafb5d502273-268906",
        "ingested": "2024-06-12T03:10:08Z",
        "outcome": "success"
    },
    "forgerock": {
        "eventName": "relationship_created",
        "level": "INFO",
        "message": "Relationship originating from managed/alpha_organization/e6df3df4-c798-4187-ba06-db8e6ae3db88 via the relationship field parent and referencing managed/alpha_organization/c4de605d-9d1b-439e-9ea8-9aba47e01008  was created.",
        "objectId": "managed/alpha_organization/e6df3df4-c798-4187-ba06-db8e6ae3db88/parent/bb20cd10-e6ad-48fd-8ef1-e8d4c3f7859f",
        "operation": "CREATE",
        "passwordChanged": false,
        "revision": "00000000478fd92b",
        "source": "audit",
        "topic": "activity"
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-activity"
    ],
    "transaction": {
        "id": "1667325742545-ee41d6454a6b4a815b69-24798/0"
    },
    "user": {
        "effective": {
            "id": "9120c7db-d7e6-4b51-b805-07bbee7a4bb9"
        },
        "id": "9120c7db-d7e6-4b51-b805-07bbee7a4bb9"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.eventName

The name of the audit event.

keyword

forgerock.level

The log level.

keyword

forgerock.message

Human readable text about the action.

keyword

forgerock.objectId

Specifies the identifier of an object that has been created, updated, or deleted.

keyword

forgerock.operation

The state change operation invoked.

keyword

forgerock.passwordChanged

Boolean specifying whether changes were made to the password.

boolean

forgerock.revision

Specifies the object revision number.

keyword

forgerock.source

The source of the event.

keyword

forgerock.topic

The topic of the event.

keyword

input.type

Input type

keyword

IDM_authentication events

edit

This is the forgerock.idm_authentication dataset. These logs capture the results when you authenticate to an /openidm​ endpoint to complete certain actions on an object. More information about these logs.

Example

An example event for idm_authentication looks as following:

{
    "@timestamp": "2022-10-05T18:21:48.253Z",
    "agent": {
        "ephemeral_id": "a585941c-cf1b-4f9e-ab31-9f02ad2f3a8d",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_authentication",
        "namespace": "54220",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "authentication"
        ],
        "created": "2024-06-12T03:10:55.079Z",
        "dataset": "forgerock.idm_authentication",
        "id": "45463f84-ff1b-499f-aa84-8d4bd93150de-256208",
        "ingested": "2024-06-12T03:11:07Z",
        "outcome": "success"
    },
    "forgerock": {
        "entries": [
            {
                "info": {
                    "authIndex": "module_instance",
                    "authIndexValue": "Application",
                    "authLevel": "0",
                    "ipAddress": "1.128.0.0"
                },
                "moduleId": "Application"
            }
        ],
        "eventName": "authentication",
        "level": "INFO",
        "method": "MANAGED_USER",
        "principal": [
            "openidm-admin"
        ],
        "result": "SUCCESSFUL",
        "topic": "authentication",
        "trackingIds": [
            "45463f84-ff1b-499f-aa84-8d4bd93150de-256204"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-authentication"
    ],
    "transaction": {
        "id": "1664994108247-9f138d8fc9f59d23164c-26466/0"
    },
    "user": {
        "id": "id=user"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.entries

The JSON representation of the details of an authentication module, chain, tree, or node.

flattened

forgerock.eventName

The name of the audit event.

keyword

forgerock.level

The log level.

keyword

forgerock.method

The authentication method, such as JWT or MANAGED_USER.

keyword

forgerock.principal

The array of accounts used to authenticate.

keyword

forgerock.result

Status indicator, usually SUCCESS/SUCCESSFUL or FAIL/FAILED.

keyword

forgerock.topic

The topic of the event.

keyword

forgerock.trackingIds

Specifies a unique random string generated as an alias for each AM session ID and OAuth 2.0 token.

keyword

input.type

Input type

keyword

IDM_config events

edit

This is the forgerock.idm_config dataset. These logs capture configuration changes to Identity Cloud with a timestamp and by whom. More information about these logs.

Example

An example event for idm_config looks as following:

{
    "@timestamp": "2022-10-19T16:12:12.549Z",
    "agent": {
        "ephemeral_id": "fb37ec3d-49b8-4a56-8540-f9bf8f749477",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_config",
        "namespace": "74292",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "configuration"
        ],
        "created": "2024-06-12T03:11:48.197Z",
        "dataset": "forgerock.idm_config",
        "id": "5e787c05-c32f-40d3-9e77-666376f6738f-134332",
        "ingested": "2024-06-12T03:12:00Z"
    },
    "forgerock": {
        "changedFields": [
            "/mappings"
        ],
        "eventName": "CONFIG",
        "level": "INFO",
        "objectId": "sync",
        "source": "audit",
        "topic": "config"
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-config"
    ],
    "transaction": {
        "id": "1666195908296-b802a87436c00618a43e-13149/0"
    },
    "user": {
        "effective": {
            "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf"
        },
        "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.changedFields

Specifies the fields that were changed.

keyword

forgerock.eventName

The name of the audit event.

keyword

forgerock.level

The log level.

keyword

forgerock.objectId

Specifies the identifier of an object that has been created, updated, or deleted.

keyword

forgerock.source

The source of the event.

keyword

forgerock.topic

The topic of the event.

keyword

input.type

Input type

keyword

IDM_core events

edit

This is the forgerock.idm_core dataset. These logs capture identity management debug logs for Identity Cloud. More information about these logs.

Example

An example event for idm_core looks as following:

{
    "@timestamp": "2022-12-05T20:01:34.448Z",
    "agent": {
        "ephemeral_id": "0ecd4e49-8926-4644-a9ac-e464dcb4f31c",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_core",
        "namespace": "52603",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:12:40.380Z",
        "dataset": "forgerock.idm_core",
        "ingested": "2024-06-12T03:12:52Z",
        "reason": "Dec 05, 2022 8:01:34 PM org.forgerock.openidm.internal.InternalObjectSet readInstance"
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-debug",
        "forgerock-idm-core"
    ]
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.idm_core.message

keyword

forgerock.idm_core.name

keyword

forgerock.idm_core.target

keyword

forgerock.idm_core.type

keyword

input.type

Input type

keyword

IDM_sync events

edit

This is the forgerock.idm_sync dataset. These logs capture any changes made to an object resulting in automatic sync (live sync and implicit sync) to occur when you have a repository mapped to Identity Cloud. More information about these logs.

Example

An example event for idm_sync looks as following:

{
    "@timestamp": "2022-10-19T16:09:17.900Z",
    "agent": {
        "ephemeral_id": "9597c9be-7da7-4082-890f-94632a9bdfed",
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "forgerock.idm_sync",
        "namespace": "29113",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2024-06-12T03:13:33.362Z",
        "dataset": "forgerock.idm_sync",
        "id": "5e787c05-c32f-40d3-9e77-666376f6738f-130280",
        "ingested": "2024-06-12T03:13:45Z",
        "outcome": "success"
    },
    "forgerock": {
        "action": "ASYNC",
        "eventName": "sync",
        "level": "INFO",
        "linkQualifier": "default",
        "mapping": "managedalpha_user_managedMarketinglist",
        "situation": "SOURCE_IGNORED",
        "source": "audit",
        "sourceObjectId": "managed/alpha_user/9d88b635-9b7a-48d3-9a57-1978b99a5f41",
        "topic": "sync"
    },
    "input": {
        "type": "httpjson"
    },
    "observer": {
        "vendor": "ForgeRock Identity Platform"
    },
    "tags": [
        "forwarded",
        "forgerock-audit",
        "forgerock-idm-sync"
    ],
    "transaction": {
        "id": "1666195747447-56a35455016b7da218a6-11991/0"
    },
    "user": {
        "id": "d7cd65bf-743c-4753-a78f-a20daae7e3bf"
    }
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

data_stream.dataset

The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.namespace

A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters

constant_keyword

data_stream.type

An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.

constant_keyword

forgerock.action

The synchronization action, depicted as a Common REST action.

keyword

forgerock.eventName

The name of the audit event.

keyword

forgerock.level

The log level.

keyword

forgerock.linkQualifier

ForgeRock’s link qualifier applied to the action.

keyword

forgerock.mapping

Name of the mapping used for the synchronization operation.

keyword

forgerock.situation

The synchronization situation as documented https://backstage.forgerock.com/docs/idm/7.2/synchronization-guide/chap-situations-actions.html#sync-situations

keyword

forgerock.source

The source of the event.

keyword

forgerock.sourceObjectId

Object ID on the source system.

keyword

forgerock.targetObjectId

Object ID on the target system

keyword

forgerock.topic

The topic of the event.

keyword

input.type

Input type

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

1.19.0

Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".

1.18.4

Bug fix (View pull request)
Fix handling of endTime query parameter.

8.13.0 or higher

1.18.3

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

1.18.2

Bug fix (View pull request)
Fix handling of idm_core object payloads.

8.13.0 or higher

1.18.1

Bug fix (View pull request)
Fix handling of query time ranges.

8.13.0 or higher

1.18.0

Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.17.1

Bug fix (View pull request)
Fix sample event.

8.12.0 or higher

1.17.0

Enhancement (View pull request)
Make event.type and event.category fields conform to ECS field definition.

8.12.0 or higher

1.16.0

Enhancement (View pull request)
Improve handling of empty responses.

8.12.0 or higher

1.15.0

Enhancement (View pull request)
Set sensitive values as secret.

8.12.0 or higher

1.14.1

Enhancement (View pull request)
Changed owners

8.7.1 or higher

1.14.0

Enhancement (View pull request)
Limit request tracer log count to five.

8.7.1 or higher

1.13.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

8.7.1 or higher

1.12.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

8.7.1 or higher

1.11.0

Enhancement (View pull request)
Use dynamic mappings for object fields.

8.7.1 or higher

1.10.0

Enhancement (View pull request)
ECS version updated to 8.10.0.

8.7.1 or higher

1.9.0

Enhancement (View pull request)
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.

8.7.1 or higher

1.8.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.7.1 or higher

1.7.0

Enhancement (View pull request)
Update package-spec to 2.10.0.

8.7.1 or higher

1.6.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

8.7.1 or higher

1.5.0

Enhancement (View pull request)
Document duration units.

8.7.1 or higher

1.4.0

Enhancement (View pull request)
Document valid duration units.

8.7.1 or higher

1.3.1

Bug fix (View pull request)
Fix IDM Activity revision field type.

8.7.1 or higher

1.3.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

8.7.1 or higher

1.2.0

Enhancement (View pull request)
Add a new flag to enable request tracing

8.7.1 or higher

1.1.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

7.17.0 or higher
8.0.0 or higher

1.0.0

Enhancement (View pull request)
Initial draft of the package

7.17.0 or higher
8.0.0 or higher