Audit Events
Audit Events
Auditing is the logging of audit records. It includes collecting data about system activities that affect the secure operation of the IBM® Verify Identity Access OIDC Provider (IVIAOP). The IVIAOP captures audit events whenever a token issuance operation occurs.
Sample audit event - success
{"instant":{"epochSecond":1745471863},"correlationId":"CORR_ID-6737c41d-86e3-4dd5-bc5a-13101d88de4d","iv-correlation-id":"73864fec-20cb-11f0-9cca-87e2e512eb08","level":"AUDIT","loggerName":"/internal/provider/audit.(*Auditor).Publish","tag":["AUDIT"],"component":"IBM Verify Identity Access OIDC Provider","source":{"stdout":"/app/ristretto"},"content":{"result":"success","eventType":"sso","subtype":"oidc","origin":"192.168.42.101","client_id":"client01deviceflow","client_name":"TV Client","client_type":"confidential","username":"testuser","grant_id":"248c4fdf-21a9-4785-9597-efe642f9cc41","grant_type":"urn:ietf:params:oauth:grant-type:device_code","scope":"openid","requestedScope":"openid","id_token":"eyJhbGciOiJSUzUxMiIsImtpZCI6Imh0dHBzZXJ2ZXJrZXkiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiX3VmTVZDS1F0eVN5UVE2V0xBWnJHeXh2ZlpLUnpMLWRSdzJMTVBwaFFqZyIsImF1ZCI6WyJjbGllbnQwMWRldmljZWZsb3ciXSwiYXV0aF90aW1lIjoxNzQ1NDcxODYzLCJjdXN0b20xIjoiYmN1c3RvbSIsImN1c3RvbTIiOiJiY3VzdG9tIiwiZXhwIjoxNzQ1NDc1NDYzLCJpYXQiOjE3NDU0NzE4NjMsImlzcyI6Imh0dHBzOi8vd3d3LmlibS5jb20iLCJqdGkiOiJhYzE1OGE2Ni04MmVhLTQ0ZWQtOGQ4OS01NzljZWIzYzUxZTMiLCJyYXQiOjE3NDU0NzE4MTUsInJ0X2hhc2giOiJtcFhTNXp2d2N0bHI3cnoybkpMNXhxeEFrSmk3WkVxeF9GelhiNEFLU3RBIiwic3ViIjoidGVzdHVzZXIifQ.d19lV7Em9OWiF2TWuLdAScoL5srB-3mqARqMY9hIccj2iN4I6z5vDFKAYVc6mIcxsnaVpSNyjY04fxZ_Igp7_vfj_oIlf8iYU1W6urjfKlVySxo5n4CgPU_XV2Ghlly-yxWc8psaQy3I1-xb494PLT8rad9LekVoO-aOd4v0YT_wjxxfR0YBNogj-Yz-OTXzzHeXbg83opJT9oSaoMazgISgcH7hyY9-zghIHf_-xQiUVzHRbcRa1nnBYSzIlC05LkMD-X94GM7tKzwR4uicwBMmc3gYOstdRlrkIlSn8pPpJeBaM0wOYq6qyHLeCXUOnAwyv7B17Vo700GZ7HbRFNXjO0t2wWqNQXD1TWwFvmfOGy6b6IbO01n29BUOOtyExlUSvAmNBB4rKvoevHqbnkaI-IvZx47c8lpp9AiBFaYsViMHcjCk6TfKKbWt44HpQhqjp3HFXYwPtMN5cSrPSSxZISBz_XtQtohCkeO3jphwhRXHfywaoUc8eX5HlGCdM5GkCcx4yZFcLakNpkj6nJMXUtBzLABd1Ln5A1ZKuxBS6VPU4aKLXZe5E27IPTshmfHACAXdV_kd2xa6UBV_BkdqDzpCSvLT1ZXouOiAaB2zvRDsUstdRVxcItwgkm-oOrEAC6XbbxrA7tRAoLSZmHs6TESlp7XOKG4TkNfRusU","consent_modified":"false","devicetype":"PostmanRuntime/7.43.3","at_hash":"_ufMVCKQtySyQQ6WLAZrGyxvfZKRzL-dRw2LMPphQjg"}}
Sample audit events - failure
{"instant":{"epochSecond":1745465977},"correlationId":"CORR_ID-075967c4-ca61-4c20-af77-cf3147bae58b","iv-correlation-id":"","level":"AUDIT","loggerName":"/internal/provider/audit.(*Auditor).Publish","tag":["AUDIT"],"component":"IBM Verify Identity Access OIDC Provider","source":{"stdout":"/app/ristretto"},"content":{"result":"failure","eventType":"sso","subtype":"oidc","cause":"invalid_grant","origin":"172.27.0.1","client_id":"client01","client_name":"Photo Print Client","client_type":"confidential","email":"[email protected]","grant_id":"77a0482c-5f37-496f-8d63-5fffaec9e774","grant_type":"urn:ietf:params:oauth:grant-type:pre-authorized_code","redirecturl":"https://www.google.com","requestedScope":"openid","consent_modified":"false","devicetype":"frisby/2.1.3 (+https://github.com/vlucas/frisby)"}}
The following output elements are contained in the auditing records:
| Field | Description |
|---|---|
| instant/epochSecond | The number of seconds since Epoch at which the audit event was generated. |
| correlationId | Correlation Id indicates a unique identifier for a specific runtime flow. |
| iv-correlation-id | Identifier to correlate Web reverse proxy and OP runtime events |
| level | The logging level for the event. For audit records this will always have the value of 'AUDIT'. |
| loggerName | The logger class that generates the audit events. |
| tag | The tag used to indicate 'AUDIT' events. |
| component | The component that generated audit events. |
| content/result | The outcome of the event. The outcome element can be one of the following values: success/failure |
| content/eventType | The type of event. The outcome element can be one of the following values: sso/token |
| content/subtype | The subtype of event. The outcome element can be one of the following value: oidc |
| content/origin | The origin header of the event. |
| content/client_id | The client_id associated with the runtime flow. |
| content/client_name | The client_name associated with the runtime flow. |
| content/client_id | The client_id associated with the runtime flow. |
| content/devicetype | The device from which the runtime flow is initiated. |
| content/cause | When the runtime flow results in a failure, the cause of the failure |
Updated about 2 months ago