I have a use case that requires logging to be captured and have following this document here:
How do I set up the ForgeRock Identity Cloud app for Splunk?
Which references --> https://splunkbase.splunk.com/app/6272
ForgeRock Identity Cloud App for Splunk captures audit and debug logs from ForgeRock Identity Cloud tenants. A sample dashboard is included to graphically illustrate various captured metrics, for example, authentication events, identity registrations, and top-active users. Sample searches are also included to extend or modify the sample dashboard.
Problem is the app should not be calling the following endpoint: /monitoring/logs/tail
It should be calling the following endpoint as noted in the ForgeRock Product Documentation-> /monitoring/logs
To reduce unwanted stresses on the system, Identity Cloud limits the number of requests you can make to the /monitoring/logs endpoint in a certain timeframe:
The page-size limit is 1000 logs per request.
The request limit is 60 requests per minute.
The theoretical upper rate limit is therefore 60,000 logs per minute.
The reason this needs to be changed is when using the Logs tail endpoint
The /monitoring/logs/tail endpoint has the same limits and response headers as the /monitoring/logs endpoint described above. However, the endpoint also has a limit of 20,000 lines per request, which supersedes the page-size limit of 1000 logs per request.
Because calls to the /monitoring/logs/tail endpoint do not always fetch all logs, use this endpoint for debugging only. Use the /monitoring/logs endpoint when you need to fetch all logs.
I did find:
grep -i -R "/tail" forgerock/
Which pointed me to :
forgerock//bin/input_module_forgerock.py: response = helper.send_http_request(forgerock_id_cloud_tenant_url + "/monitoring/logs/tail", 'GET', parameters=parameters, payload=None, headers=headers, cookies=None, verify=True, cert=None, timeout=60, use_proxy=False)
Lines 51-52 of input_module_forgerock.py shows:
# The following examples send rest requests to some endpoint.
response = helper.send_http_request(forgerock_id_cloud_tenant_url + "/monitoring/logs/tail", 'GET', parameters=parameters, payload=None, headers=headers, cookies=None, verify=True, cert=None, timeout=60, use_proxy=False)
I suspect updating this to the following /monitoring/logs may resolve this and restarting the app:
# The following examples send rest requests to some endpoint.
response = helper.send_http_request(forgerock_id_cloud_tenant_url + "/monitoring/logs", 'GET', parameters=parameters, payload=None, headers=headers, cookies=None, verify=True, cert=None, timeout=60, use_proxy=False)
But when trying to grab logs its failing:
2023-11-16 15:33:34,178 DEBUG pid=261576 tid=MainThread file=connectionpool.py:_make_request:461 | https://openam-testxyz.id.forgerock.io:443 "GET /monitoring/logs?source=am-authentication%2Cam-access%2Cam-config%2Cidm-activity&_pagedResultsCookie=eyJfc29ydEzbnRpY25Il19fQ HTTP/1.1" 500 74 2023-11-16 15:33:34,179 INFO pid=261576 tid=MainThread file=base_modinput.py:log_info:295 | Unexpected response from ForgeRock: 500 2023-11-16 15:33:34,179 ERROR pid=261576 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Login Traceback (most recent call last): File "/opt/splunk/etc/apps/forgerock/bin/forgerock/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/forgerock/bin/forgerock.py", line 76, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/forgerock/bin/input_module_forgerock.py", line 60, in collect_events response.raise_for_status() File "/opt/splunk/etc/apps/forgerock/bin/forgerock/aob_py3/requests/models.py", line 943, in raise_for_status raise HTTPError(http_error_msg, response=self)
Hoping someone has an idea @jknight