Hi @chuac,
You’ll find it in the am-access source:
{
"_id": "d5eb0168-3d1f-4618-9c9b-9a5084d3d0cb-55018",
"client": {
"ip": "203.221.5.137"
},
"component": "OAuth",
"eventName": "AM-ACCESS-ATTEMPT",
"http": {
"request": {
"headers": {
"accept": [
"*/*"
],
"content-type": [
"application/x-www-form-urlencoded"
],
"host": [
"openam-nom1.forgeblocks.com"
],
"user-agent": [
"PostmanRuntime/7.32.3"
],
"x-forwarded-for": [
"203.221.5.137, 34.111.195.11, 10.168.0.4"
],
"x-forwarded-proto": [
"https"
]
},
"method": "POST",
"path": "https://openam-nom1.forgeblocks.com/am/oauth2/realms/root/access_token",
"secure": true
}
},
"level": "INFO",
"realm": "/",
"request": {
"detail": {
"client_id": "service-account",
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"scope": "fr:idm:* fr:am:* fr:idc:esv:*"
}
},
"source": "audit",
"timestamp": "2023-09-06T23:51:34.506Z",
"topic": "access",
"transactionId": "1694044294504-d28a708e9b40a56cf6e9-358735/0"
}
Then access to IDM will show in idm-access
{
"_id": "d71a9ee3-4556-47ce-9de2-2280137349de-160012",
"client": {
"ip": "203.221.5.137",
"port": 39768
},
"eventName": "access",
"http": {
"request": {
"headers": {
"accept": [
"*/*"
],
"host": [
"openam-nom1.forgeblocks.com:443"
],
"user-agent": [
"PostmanRuntime/7.32.3"
],
"x-forwarded-for": [
"203.221.5.137, 34.111.195.11, 10.168.0.4"
],
"x-forwarded-proto": [
"https"
]
},
"method": "GET",
"path": "https://openam-nom1.forgeblocks.com/openidm/repo/synchronisation/pooledSyncStage/SYSTEMMSSQLACCOUNT",
"secure": true
}
},
"level": "INFO",
"request": {
"operation": "READ",
"protocol": "CREST"
},
"response": {
"elapsedTime": 18,
"elapsedTimeUnits": "MILLISECONDS",
"status": "SUCCESSFUL",
"statusCode": "200"
},
"roles": [
"internal/role/openidm-svcacct",
"internal/role/openidm-authorized"
],
"server": {
"ip": "10.68.1.253",
"port": 8080
},
"source": "audit",
"timestamp": "2023-09-06T23:53:23.453Z",
"topic": "access",
"trackingIds": [
"d5eb0168-3d1f-4618-9c9b-9a5084d3d0cb-55020"
],
"transactionId": "1694044403418-d28a708e9b40a56cf6e9-358910/0",
"userId": "3614c5e2-6b46-4828-b487-a819e0ef258c"
}
Usually, I would look into am-everything, and idm-everything, but these can be quite verbose on a dev environment. Tip: use the Splunk integration: Splunk Integration
And this is a convenient filter to use in the Splunk search: source="My Source" NOT "http://localhost:8080/openidm/info/ping" NOT "http://idm/openidm/info/ping"
I hope this helps
Regards
Patrick