Troubleshooting audit log rotation

springtide · October 24, 2022, 7:19pm

I am a Forgerock newbie specifically tasked with some configuration management for OpenIDM 7. I am trying to set up rotation and retention of our audit logs.
I have tried setting this using the ssoadm tool, the web UI and /opt/openidm/conf/audit.json.

Changes made in audit.json didn’t show in the web UI, so I reverted that back to the default and am focusing my efforts on either eventually turning this into an api call or command line with ssoadm.

Ideally, I’d like to do size and time based rotation and retention. I’m trying to do the smallest configuration to test right now though as I have not see any rotations with my initial more robust config.

My references are the following:

https://backstage.forgerock.com/docs/idm/7.2/audit-guide/audit-log-rotation.html

My config is the following:
$ sudo /opt/ssoadm/openam/bin/ssoadm get-sub-cfg -s AuditService -u ADMINUSER -f pwd -g “Global JSON Handler”

rotationInterval=120
rotationTimes=
bufferingMaxSize=100000
topics=access
topics=activity
topics=config
topics=authentication
rotationEnabled=true
retentionMinFreeSpaceRequired=-1
enabled=true
handlerFactory=org.forgerock.openam.audit.events.handlers.JsonAuditEventHandlerFactory
retentionMaxNumberOfHistoryFiles=50
retentionMaxDiskSpaceToUse=-1
rotationFileSuffix=-yy.MM.dd-HH.mm
bufferingWriteInterval=5
rotationMaxFileSize=100
rotationFilePrefix=
location=/var/log/openidm-audit
elasticsearchCompatible=false
rotationRetentionCheckInterval=5

As I understand it, this should check every 120 seconds for rotation.
Files should be rotated when sized over 100 bytes.
These are thresholds for testing, not for production.

My logs have never rotated:
$ ls -lht /var/log/openidm-audit/
total 285M
-rw-r–r–. 1 openidm openidm 298K Oct 25 2022 access.audit.json
-rw-r–r–. 1 openidm openidm 105M Oct 25 2022 recon.audit.json
-rw-r–r–. 1 openidm openidm 180M Oct 25 2022 activity.audit.json
-rw-r–r–. 1 openidm openidm 481 Oct 20 16:20 sync.audit.json
-rw-r–r–. 1 openidm openidm 0 Oct 18 23:37 authentication.audit.json
-rw-r–r–. 1 openidm openidm 0 Oct 18 23:37 config.audit.json

I would appreciate some direction on how to further troubleshoot this or evaluations of my current configuration.

thanks in advance!

springtide · November 10, 2022, 11:46pm

As a followup, my logs seem to rotate every 3 days or so despite having been set to rotate every 24 hours. I disabled rotation to see if I could solve my problem with logrotate and forgerock continues to rotate at an unpredictable interval.

salbertelli01 · November 14, 2022, 6:22pm

Hi springtide,

The ssoadm tool is a CLI specifically for Access Management (AM). Any changes made using ssoadm will not be applied to IDM.

The following documentation links provide guidance on setting up rotation and retention of the IDM 7.1 audit logs.

I hope this helps!