Audit log export connector
The audit log export connector feature allows administrators to configure one or more connectors that forward OpenIAM audit events to external systems — a syslog server/SIEM or any generic HTTP webhook endpoint. Events are forwarded in real time (each audit event is streamed to the configured connectors as it is recorded).
Accessing audit log export connectors
Navigate to Webconsole > Audit Log Export Connectors (/webconsole/audit-export-connectors).
The search screen displays all configured connectors with the following columns:
| Column | Description |
|---|---|
| Name | The display name of the connector. |
| Connector Type | SYSLOG or GENERIC_WEBHOOK. |
| Enabled | Whether the connector is active. |
Click a connector name to edit it, or click Add to create a new one.
Creating / Editing a connector
The edit screen is divided into sections.
General settings
| Field | Type | Required | Description |
|---|---|---|---|
| Name | Text | Yes | A unique display name for this connector. |
| Description | Text | — | An optional description of the connector. |
| Connector Type | Select | Yes | The target system type: SYSLOG or GENERIC_WEBHOOK. |
| Enabled | Checkbox | — | Enables or disables the connector without deleting it. Only enabled connectors receive events. |
| Actions | Multi-select | — | The specific audit action types to export. If left empty, all audit actions are exported. Selecting actions limits export to those event types. |
| Transformer Script | Select / Reference | — | Optional Groovy script (IdmAuditLogExportTransformer) that transforms each audit event into the outbound payload (and, for HTTP, can add custom headers). If not set, a default transformer serializes the full audit event. See Customizing the exported payload. |
Note: Only top-level (parent) audit events are exported. Child/related sub-events (events with a parent) are not forwarded.
Syslog settings
Visible only when Connector Type is SYSLOG.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| Hostname | Text | No | local host | Hostname or IP address of the target syslog server. |
| Port | Number | No | 514 | UDP port of the syslog server. |
| Facility | Text | No | LOCAL0 | Syslog facility (label such as LOCAL0, or a numeric facility code). |
| Severity | Text | No | INFORMATIONAL | Syslog severity level (e.g., INFORMATIONAL, WARNING, ERROR). |
| Ident | Text | No | openiam | Application identifier included in the syslog message header. |
| Message Order | Text | No | action,principal,result,datetime | Comma-separated list controlling which fields appear (and in what order) in the syslog message. Recognized fields include action, principal, result, datetime, and clientip; any other name is looked up directly in the transformed event, allowing a Groovy transformer to inject custom fields. |
Note: Syslog messages are sent over UDP (plaintext). There is no TLS option for the syslog connector — if you require encrypted transport, place a TLS-capable syslog relay between OpenIAM and the destination, or use the HTTP (
GENERIC_WEBHOOK) connector to an HTTPS endpoint.
HTTP settings
Visible only when Connector Type is GENERIC_WEBHOOK.
| Field | Type | Required | Description |
|---|---|---|---|
| HTTP Endpoint URL | Text | Yes | The full URL of the target endpoint. Each event is sent as an HTTP POST with a JSON body. |
| Authentication Token | Password | No | Token sent with each request. If set, it is placed in the header named by Auth Header Name (default Authorization). After saving, the stored value is masked as ***; when editing, leave it as *** to keep the existing token unchanged. |
| Auth Header Name | Text | No | The HTTP header used to pass the token. Defaults to the standard Authorization header if left blank. |
Connector types
SYSLOG
Forwards audit events to a syslog server / SIEM over UDP. Configure the target host, port, and optional syslog fields (facility, severity, ident, message order).
GENERIC_WEBHOOK
Sends each audit event as an HTTP(S) POST with a JSON payload to any HTTP endpoint — useful for SIEMs that accept HTTP ingestion (e.g. a Splunk HTTP Event Collector URL), custom log pipelines, or alerting systems. Authentication is via a configurable token header.
How export works
- Real time: when an audit event is saved, it is published asynchronously to every enabled connector whose Actions filter matches (or that has no filter). Export does not block audit writes.
- Parent events only: child/related sub-events are filtered out; only top-level events are exported.
- Retry and failure tracking: if a connector delivery fails, it is retried a small number of times after a delay. If it still fails, the failure is recorded (connector, event id, reason, timestamp) so it can be listed and manually retried later.
Customizing the exported payload
Each connector may reference an optional Groovy transformer that implements IdmAuditLogExportTransformer:
map(doc)returns theMapthat is serialized as the outbound payload (JSON for HTTP, field values for syslog).- For HTTP connectors, the transformer may also contribute additional HTTP headers.
If no transformer is configured (or it cannot be loaded), a default transformer serializes the entire audit event to a map. A Groovy script that does not implement IdmAuditLogExportTransformer is rejected on save.
Saving and deleting
| Action | Description |
|---|---|
| Save | Creates or updates the connector. The connector cache is refreshed so changes take effect without a restart. |
| Delete | Permanently removes the connector. Only available when editing an existing connector. |
| Cancel | Discards unsaved changes and returns to the search screen. Only available when editing an existing connector. |
- Multiple connectors can be configured simultaneously, each targeting a different system and/or filtering different event types.
- The Actions multi-select is populated from the available
values; leaving it empty exports all actions.AuditAction - Only enabled connectors receive events, and only top-level (non-child) audit events are exported.
Troubleshooting
Export runs asynchronously in the audit-log-manager service; check that service's logs for the messages below. A full list of the export error codes and log strings is also kept in the service log & error reference.
No events arriving at the target
Work through these in order — most "nothing is exported" cases are configuration, not failure:
| Check | Why |
|---|---|
| Is the connector Enabled? | Only enabled connectors receive events. |
| Are you expecting child events? | Only top-level (parent) events are exported; child/sub-events are intentionally dropped. |
| Does the Actions filter include the action you expect? | A non-empty Actions list exports only those actions. Clear it to export all. |
| For syslog, is the destination correct and reachable over UDP? | Syslog is sent over UDP (fire-and-forget) — there is no delivery confirmation, so a wrong host/port fails silently from the sender's side. |
| Did you just create/edit the connector? | Connector changes are picked up from a cache that refreshes on save and on a periodic sweep; allow a moment for the change to take effect. |
Delivery failures and retries
When a delivery fails, the service retries up to 2 times (after a delay) and then records the failure. The recorded failures for a connector can be listed and manually retried from the connector's failed-dispatch view (fix the root cause first).
| Log message (audit-log-manager) | Meaning / action |
|---|---|
Dispatch failed for connector [...] auditLogId [...]: <error> | A delivery attempt failed; <error> is the underlying cause. After retries it becomes a recorded failure. |
HTTP connector [...]: POST to <url> returned non-2xx status <code> | The webhook endpoint rejected the request — check the URL, the Authentication Token / Auth Header Name, and the endpoint's own logs. |
HTTP connector [...]: failed to serialize payload | The transformed payload could not be serialized to JSON — check the Groovy transformer's output. |
Syslog connector [...]: cannot resolve hostname '<host>' | DNS/host resolution failed — the event is dropped for that connector. Verify Hostname. |
Syslog connector [...]: error opening socket / error sending message | UDP send problem — check network/firewall to the syslog Port. |
Groovy transformer issues
| Symptom | Meaning / action |
|---|---|
Save fails with a "Groovy class must extend export transformer" error (CANNOT_INSTANTIATE_GROOVY_CLASS) | The selected script does not implement IdmAuditLogExportTransformer. Fix the script's class. |
Save fails with a Groovy compilation error (CHECK_GROOVY_EXCEPTION) | The transformer script failed to instantiate — check the script for errors. |
Events export but with empty/incomplete payloads; log shows transformer failed, using empty map or ... does not implement IdmAuditLogExportTransformer, falling back to default | The transformer threw at runtime or isn't a valid transformer, so the connector fell back to an empty/default payload. Fix or remove the transformer. |
Connector list looks stale
| Log message | Meaning / action |
|---|---|
Failed to refresh AuditExportConnectorCache | The service could not reload connectors from the database; recent changes may not be applied. Check DB connectivity for audit-log-manager and restart the service if it persists. |