Audit log export connector

The audit log export connector feature allows administrators to configure one or more connectors that forward OpenIAM audit events to external systems — a syslog server/SIEM or any generic HTTP webhook endpoint. Events are forwarded in real time (each audit event is streamed to the configured connectors as it is recorded).

Accessing audit log export connectors

Navigate to Webconsole > Audit Log Export Connectors (/webconsole/audit-export-connectors).

The search screen displays all configured connectors with the following columns:

ColumnDescription
NameThe display name of the connector.
Connector TypeSYSLOG or GENERIC_WEBHOOK.
EnabledWhether the connector is active.

Click a connector name to edit it, or click Add to create a new one.

Creating / Editing a connector

The edit screen is divided into sections.

General settings

FieldTypeRequiredDescription
NameTextYesA unique display name for this connector.
DescriptionTextAn optional description of the connector.
Connector TypeSelectYesThe target system type: SYSLOG or GENERIC_WEBHOOK.
EnabledCheckboxEnables or disables the connector without deleting it. Only enabled connectors receive events.
ActionsMulti-selectThe specific audit action types to export. If left empty, all audit actions are exported. Selecting actions limits export to those event types.
Transformer ScriptSelect / ReferenceOptional Groovy script (IdmAuditLogExportTransformer) that transforms each audit event into the outbound payload (and, for HTTP, can add custom headers). If not set, a default transformer serializes the full audit event. See Customizing the exported payload.

Note: Only top-level (parent) audit events are exported. Child/related sub-events (events with a parent) are not forwarded.

Syslog settings

Visible only when Connector Type is SYSLOG.

FieldTypeRequiredDefaultDescription
HostnameTextNolocal hostHostname or IP address of the target syslog server.
PortNumberNo514UDP port of the syslog server.
FacilityTextNoLOCAL0Syslog facility (label such as LOCAL0, or a numeric facility code).
SeverityTextNoINFORMATIONALSyslog severity level (e.g., INFORMATIONAL, WARNING, ERROR).
IdentTextNoopeniamApplication identifier included in the syslog message header.
Message OrderTextNoaction,principal,result,datetimeComma-separated list controlling which fields appear (and in what order) in the syslog message. Recognized fields include action, principal, result, datetime, and clientip; any other name is looked up directly in the transformed event, allowing a Groovy transformer to inject custom fields.

Note: Syslog messages are sent over UDP (plaintext). There is no TLS option for the syslog connector — if you require encrypted transport, place a TLS-capable syslog relay between OpenIAM and the destination, or use the HTTP (GENERIC_WEBHOOK) connector to an HTTPS endpoint.

HTTP settings

Visible only when Connector Type is GENERIC_WEBHOOK.

FieldTypeRequiredDescription
HTTP Endpoint URLTextYesThe full URL of the target endpoint. Each event is sent as an HTTP POST with a JSON body.
Authentication TokenPasswordNoToken sent with each request. If set, it is placed in the header named by Auth Header Name (default Authorization). After saving, the stored value is masked as ***; when editing, leave it as *** to keep the existing token unchanged.
Auth Header NameTextNoThe HTTP header used to pass the token. Defaults to the standard Authorization header if left blank.

Connector types

SYSLOG Forwards audit events to a syslog server / SIEM over UDP. Configure the target host, port, and optional syslog fields (facility, severity, ident, message order).

GENERIC_WEBHOOK Sends each audit event as an HTTP(S) POST with a JSON payload to any HTTP endpoint — useful for SIEMs that accept HTTP ingestion (e.g. a Splunk HTTP Event Collector URL), custom log pipelines, or alerting systems. Authentication is via a configurable token header.

How export works

  • Real time: when an audit event is saved, it is published asynchronously to every enabled connector whose Actions filter matches (or that has no filter). Export does not block audit writes.
  • Parent events only: child/related sub-events are filtered out; only top-level events are exported.
  • Retry and failure tracking: if a connector delivery fails, it is retried a small number of times after a delay. If it still fails, the failure is recorded (connector, event id, reason, timestamp) so it can be listed and manually retried later.

Customizing the exported payload

Each connector may reference an optional Groovy transformer that implements IdmAuditLogExportTransformer:

  • map(doc) returns the Map that is serialized as the outbound payload (JSON for HTTP, field values for syslog).
  • For HTTP connectors, the transformer may also contribute additional HTTP headers.

If no transformer is configured (or it cannot be loaded), a default transformer serializes the entire audit event to a map. A Groovy script that does not implement IdmAuditLogExportTransformer is rejected on save.

Saving and deleting

ActionDescription
SaveCreates or updates the connector. The connector cache is refreshed so changes take effect without a restart.
DeletePermanently removes the connector. Only available when editing an existing connector.
CancelDiscards unsaved changes and returns to the search screen. Only available when editing an existing connector.
Notes:
  • Multiple connectors can be configured simultaneously, each targeting a different system and/or filtering different event types.
  • The Actions multi-select is populated from the available
    AuditAction
    values; leaving it empty exports all actions.
  • Only enabled connectors receive events, and only top-level (non-child) audit events are exported.

Troubleshooting

Export runs asynchronously in the audit-log-manager service; check that service's logs for the messages below. A full list of the export error codes and log strings is also kept in the service log & error reference.

No events arriving at the target

Work through these in order — most "nothing is exported" cases are configuration, not failure:

CheckWhy
Is the connector Enabled?Only enabled connectors receive events.
Are you expecting child events?Only top-level (parent) events are exported; child/sub-events are intentionally dropped.
Does the Actions filter include the action you expect?A non-empty Actions list exports only those actions. Clear it to export all.
For syslog, is the destination correct and reachable over UDP?Syslog is sent over UDP (fire-and-forget) — there is no delivery confirmation, so a wrong host/port fails silently from the sender's side.
Did you just create/edit the connector?Connector changes are picked up from a cache that refreshes on save and on a periodic sweep; allow a moment for the change to take effect.

Delivery failures and retries

When a delivery fails, the service retries up to 2 times (after a delay) and then records the failure. The recorded failures for a connector can be listed and manually retried from the connector's failed-dispatch view (fix the root cause first).

Log message (audit-log-manager)Meaning / action
Dispatch failed for connector [...] auditLogId [...]: <error>A delivery attempt failed; <error> is the underlying cause. After retries it becomes a recorded failure.
HTTP connector [...]: POST to <url> returned non-2xx status <code>The webhook endpoint rejected the request — check the URL, the Authentication Token / Auth Header Name, and the endpoint's own logs.
HTTP connector [...]: failed to serialize payloadThe transformed payload could not be serialized to JSON — check the Groovy transformer's output.
Syslog connector [...]: cannot resolve hostname '<host>'DNS/host resolution failed — the event is dropped for that connector. Verify Hostname.
Syslog connector [...]: error opening socket / error sending messageUDP send problem — check network/firewall to the syslog Port.

Groovy transformer issues

SymptomMeaning / action
Save fails with a "Groovy class must extend export transformer" error (CANNOT_INSTANTIATE_GROOVY_CLASS)The selected script does not implement IdmAuditLogExportTransformer. Fix the script's class.
Save fails with a Groovy compilation error (CHECK_GROOVY_EXCEPTION)The transformer script failed to instantiate — check the script for errors.
Events export but with empty/incomplete payloads; log shows transformer failed, using empty map or ... does not implement IdmAuditLogExportTransformer, falling back to defaultThe transformer threw at runtime or isn't a valid transformer, so the connector fell back to an empty/default payload. Fix or remove the transformer.

Connector list looks stale

Log messageMeaning / action
Failed to refresh AuditExportConnectorCacheThe service could not reload connectors from the database; recent changes may not be applied. Check DB connectivity for audit-log-manager and restart the service if it persists.