I am missing all idm-core logs in Splunk and they are missing from all of our tenants. They can be found using a cURL command in Postman to both /monitor/logs and /monitor/logs/tail. The log sources in the ForgeRock Splunkbase input is am-everything,idm-everything. I’ve tried adding idm-core explicitly, but the logs are still missing. I’m thinking it may be an issue with the Splunkbase app.
Is anyone able to get idm-core logs in Splunk? If so, how do you have your log source input configured?
Hi Dylan, I apologize for the delayed response. Our findings indicate that Splunk does not support the text/plain format, which is why the idm-core logs are not being captured. It would be a good idea to verify this on the Splunk side as well.
However, our engineering team is currently working on implementing JSON format for IDM debug logs, including idm-core logs in the IDC environment. For more details, please submit a support ticket and refer to: OPENIDM-18081.
I hope this helps.
Cheers,
Sheila
If I might add, splunk is an excellent reporting tool capable of parsing any structured formatted data, like csv or json, xm…
But I find interesting is the need here to report on debug logs. If there are errors in execution, those errors will be caught in the splunk reporting. That is, from an audit standpoint the relevant data is being reported on.
I’m not sure from a development standpoint of, the value of a splunk report from data sourced from debug logs.
That is, now I need to view a splunk report to discover what I would find in the debug logs anyways?? What am I missing?
Moreover, splunk is easily configured to watch directories and files. How specifically have you configured splunk?
Cheers