Custom Task to Prune Audit Logs

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

Hello! Does anyone have a custom task to prune audit logs from the SailPoint database? Specifically looking for a task/rule to schedule periodic pruning from identityiq.spt_audit_event. Thank you! Steven Lees

2

Hi @StevenLeesSNV

TaskDefinition

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition created="" executor="sailpoint.task.RuleExecutor" id="" modified="" name="Audit Event Prune Task" resultAction="Delete" subType="task_item_type_generic" type="Generic">
  <Attributes>
    <Map>
      <entry key="TaskSchedule.host"/>
      <entry key="ruleConfig" value="auditEventMaxAge,80"/>
      <entry key="ruleName" value="Audit Event Pruner"/>
      <entry key="taskCompletionEmailNotify" value="Disabled"/>
      <entry key="taskCompletionEmailRecipients"/>
      <entry key="taskCompletionEmailTemplate"/>
    </Map>
  </Attributes>
  <Description>A task that can be used to run to advance/reset time.</Description>
  <Signature>
    <Inputs>
      <Argument helpKey="Days before audit event deletion" name="ruleConfig" type="string">
        <Prompt>Days before audit event deletion</Prompt>
      </Argument>
    </Inputs>
  </Signature>
</TaskDefinition>

Rule:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule name="Audit Event Pruner">
  <Description>An IdentityIQ server-side rule that is executed before the connector's provisioning method is called. This gives the customer the ability to customize or react to anything in the ProvisioningPlan BEFORE it is sent to the underlying connectors used in provisioning. 

    This rule will be called for any application found in a plan that also has a configured 'beforeProvisioningRule' configured.  

    The plan can be updated directly in the rule by reference and does not need to return the plan.</Description>
  <Signature>
    <Inputs>
      <Argument name="config">
        <Description>
          The application object that references this before/after script.
        </Description>
      </Argument>
    </Inputs>
  </Signature>
  <Source>

  import java.util.Calendar;  
  import java.util.Date;
  import sailpoint.object.QueryOptions;
  import sailpoint.object.Filter;
  import sailpoint.object.AuditEvent;
  import sailpoint.api.Terminator;

  int auditEventMaxAge = Integer.parseInt(config.get("auditEventMaxAge"));

  Terminator terminator = new Terminator(context);

  Calendar calendar = Calendar.getInstance();
  calendar.set(Calendar.MINUTE, 0);
  calendar.set(Calendar.HOUR_OF_DAY, 0);  
  calendar.set(Calendar.SECOND, 0);  
  calendar.add(Calendar.DAY_OF_MONTH, -auditEventMaxAge);

  Date date = calendar.getTime();

  QueryOptions qo = new QueryOptions();
  qo.addFilter(Filter.lt("created",date));

  terminator.deleteObjects(AuditEvent.class,qo);
  </Source>
</Rule>
1 Like
3

This looks great! Thank you so much! I’ll review and test immediately!

4

All good here! Thank you Abhinav!