I am a Forgerock newbie specifically tasked with some configuration management for OpenIDM 7. I am trying to set up rotation and retention of our audit logs.
I have tried setting this using the ssoadm tool, the web UI and /opt/openidm/conf/audit.json.
Changes made in audit.json didn’t show in the web UI, so I reverted that back to the default and am focusing my efforts on either eventually turning this into an api call or command line with ssoadm.
Ideally, I’d like to do size and time based rotation and retention. I’m trying to do the smallest configuration to test right now though as I have not see any rotations with my initial more robust config.
My references are the following:
https://backstage.forgerock.com/docs/idm/7.2/audit-guide/audit-log-rotation.html
My config is the following:
$ sudo /opt/ssoadm/openam/bin/ssoadm get-sub-cfg -s AuditService -u ADMINUSER -f pwd -g “Global JSON Handler”
rotationInterval=120
rotationTimes=
bufferingMaxSize=100000
topics=access
topics=activity
topics=config
topics=authentication
rotationEnabled=true
retentionMinFreeSpaceRequired=-1
enabled=true
handlerFactory=org.forgerock.openam.audit.events.handlers.JsonAuditEventHandlerFactory
retentionMaxNumberOfHistoryFiles=50
retentionMaxDiskSpaceToUse=-1
rotationFileSuffix=-yy.MM.dd-HH.mm
bufferingWriteInterval=5
rotationMaxFileSize=100
rotationFilePrefix=
location=/var/log/openidm-audit
elasticsearchCompatible=false
rotationRetentionCheckInterval=5
As I understand it, this should check every 120 seconds for rotation.
Files should be rotated when sized over 100 bytes.
These are thresholds for testing, not for production.
My logs have never rotated:
$ ls -lht /var/log/openidm-audit/
total 285M
-rw-r–r–. 1 openidm openidm 298K Oct 25 2022 access.audit.json
-rw-r–r–. 1 openidm openidm 105M Oct 25 2022 recon.audit.json
-rw-r–r–. 1 openidm openidm 180M Oct 25 2022 activity.audit.json
-rw-r–r–. 1 openidm openidm 481 Oct 20 16:20 sync.audit.json
-rw-r–r–. 1 openidm openidm 0 Oct 18 23:37 authentication.audit.json
-rw-r–r–. 1 openidm openidm 0 Oct 18 23:37 config.audit.json
I would appreciate some direction on how to further troubleshoot this or evaluations of my current configuration.
thanks in advance!