YIAM© QuarterDeck AuditLogger
Flexible Audit Log Forwarding for SailPoint IdentityIQ
Audit transparency is a key requirement in enterprise Identity Governance programs. SailPoint IdentityIQ captures detailed audit trails in its internal database, but getting these events into modern SIEM systems like Microsoft Sentinel, Splunk, or Elastic remains a challenge, especially when direct database access is limited or not allowed.
To address this, we introduce the YIAM© QuarterDeck AuditLogger. This IdentityIQ plugin is designed to streamline the delivery of audit events to external systems using log4j2.
The Challenge
While SailPoint IdentityIQ uses its internal spt_audit_event table to store audit logs, over time this table grows significantly, causing performance degradation and management complexity. Cleanup strategies help, but in many environments persistent storage or real-time monitoring beyond the IdentityIQ database is demanded.
Yet exporting data from this table to a SIEM like Microsoft Sentinel is far from straightforward. Direct DB access might be restricted, and a native connector from IIQ to Sentinel is not available. Complex replication pipelines (e.g., to Azure SQL or via Azure Data Factory) can be a huge challenge.
Organizations need a lean, reliable alternative to forward audit logs from IdentityIQ into their SIEM without complicating their architecture.
YIAM© QuarterDeck AuditLogger
The AuditLogger Plugin offers a simple yet powerful solution:
It continuously monitors the spt_audit_event table, extracts new audit events, and sends them to IdentityIQ’s built-in log4j2 logger.
From there, the events can be collected by any SIEM-capable log agent
The Features Behind the Flexibility
The YIAM© QuarterDeck AuditLogger combines simplicity with powerful audit logging capabilities. Here’s what makes it effective:
- Polling-Based Audit Collection
A background service runs every 60 seconds, checking IdentityIQ’sspt_audit_eventtable for newly created or updated events since the last run. - File-Based Output Using log4j2
Events are written to a dedicated log file using IIQ’s native neo4j2 logging engine. This file (e.g.,/logs/sailpoint/sptaudit.log) can be picked up by any SIEM-compatible log collector like Filebeat, rsyslog, or NXLog. - Built-In Configuration Interface
( The plugin provides a user-friendly UI inside IdentityIQ where administrators can define exactly which audit events should be included in the log — offering precise control over what is forwarded and reducing noise. ) -> TBD - Minimal Setup – No DB Changes Required
The plugin installs using SailPoint’s standard plugin deployment mechanism. It doesn’t require any schema changes or database extensions. - Performance-Preserving
By offloading logs to an external file, the plugin helps keep the main IdentityIQ database slim, improving system performance over time. - SIEM-Friendly Integration
Designed to support existing logging infrastructure, this plugin enables scalable audit forwarding to platforms like Microsoft Sentinel, Splunk, or Elastic.
How It Works
Once installed, the plugin:
- Sets up a ServiceDefinition that executes every 60 seconds
- On each run, it checks for new audit entries or updated audit entries in
spt_audit_eventsince the last execution - Filters the events based on the configuration defined via the plugin UI
- Forwards the filtered entries to log4j2, where they are written to a dedicated audit log file
Use Cases
The AuditLogger plugin is built to address real-world challenges faced by IdentityIQ administrators and security teams. Typical use cases include:
- Delivering audit events from IdentityIQ to Microsoft Sentinel (or other SIEMs) without relying on database replication
- Maintaining a lean and performant SailPoint database by offloading audit data to external log files
- Ensuring long-term retention and central visibility of critical access-related actions
- Providing filtered audit exports tailored to specific security, compliance, or reporting requirements
- Replacing manual audit cleanup or export routines with an automated, continuous background service
Example Events Supported
You can include or exclude any relevant audit event using the plugin’s configuration UI. Some examples include:
login,logoutimport,updateRole,disableRolePluginEnabled,PluginConfigurationChangedPasswordPolicyChange,AuthAnswerIncorrectServerUpDown,IdentityLocked,Unlock- … and many more
The flexibility allows you to focus on events that matter most for your organization.
Product Family
YIAM© QuarterDeck AuditLogger is part of the YIAM© product family. It is a suite of targeted tools built by WedaCon to address operational, compliance, and integration challenges in IAM environments.
Backed by over 20 years of experience, these solutions streamline Identity Management processes, improve security posture, and reduce manual effort, all while integrating seamlessly into your existing SailPoint deployments.
For more information about the YIAM® product family, package deals and upgrade opportunities contact us using one of our channels.