Security audit logging

The PingFederate records a subset of transaction log information with additional details at runtime, intended to facilitate security auditing and regulatory compliance. The following table describes the default elements that PingFederate writes to the audit log (in the order that they are listed):

ElementDescription
%dTransaction time.
eventThe type of transaction; for example, SSO.
subjectThe subject of the transaction.
ipIncoming IP address.
appThe target SP application (when available).
connectionidThe connection identifier associated with the transaction.
protocolThe associated identity protocol; for examples, SAML20 or OAuth20.
hostPingFederate host name or IP address.
roleThe role of PingFederate played for the transaction.
statusTransaction success or failure.
adapteridThe ID of an adapter instance.
descriptionDescription of an authentication failure (when information is available from an IdP adapter).
responsetimeTime elapsed (in milliseconds) from when a final request for a transaction is received to when the audit message is written. This value serves as an approximation of total transaction processing time and may be useful for monitoring trends.

PingFederate records this information in the audit.log file located in the <pf_install>/pingfederate/log directory. Each element is separated by a vertical pipe (|). Elements are configurable by editing the <pf_install>/pingfederate/server/default/conf/log4j2.xml file.

The following table describes other elements (in alphabetical order) that can be added to the audit log:

ElementDescription
accessgrantguidThe GUID of the OAuth access grant (for OAuth transactions).
assertionidThe unique ID for the SAML assertion.
attrackingidThe tracking ID for OAuth access token. It could be used to analyze the flow of OAuth access tokens in the audit log and between PingFederate and PingAccess.
attributesUser attributes received (for an SP log) or sent (for an IdP log).
authenticationsourceidAn array of one or more IdP adapters, IdP connections, or both, invoked in an authentication or logout flow.
granttypeOAuth grant type.
initiator(SAML 2.0 only) The federation role that initiated the SSO or SLO: SP or IDP.
inmessagetypeIncoming message type. Possible values are Request or Response.
inresponsetoThe value of the InResponseTo attribute of an SSO or SLO Response.
inxmlmsgThe incoming message; for examples, a SAML AuthnRequest or the information pertaining to an OAuth request.
localuseridThe local ID used for the transaction (when account linking is enabled at the SP).
outxmlmsgThe outgoing message; for examples, a SAML Response or the information pertaining to a response for an OAuth request.
pfversionThe PingFederate version.
requestidThe ID of a request.
responseidThe ID of a response.
requeststarttimeThe start time of the request in milliseconds since midnight, January 1, 1970 UTC.
stspluginidFor WS-Trust STS transactions, the ID for the token-processor or token-generator instance.
targetsessionidAn array of one or more SP adapters, SP connections, or both, invoked in an authentication or logout flow.
trackingidThe tracking ID used for debugging purposes in the server log.
validatoridThe ID of the Password Credential Validator instance used for OAuth resource-owner grant transactions.
virtualserveridThe virtual server ID of a request (if applicable).

The audit.log file is rolled over at midnight daily. As needed, administrators may choose a different formats, including databases. For more information, see PingFederate log files and Writing logs to other formats.

TipThe audit log records SSO, SLO, OAuth AS, WS-Trust STS, and Inbound SCIM transactions. Outbound Provisioning transactions are not included; they are logged to the provisioner audit log (see Outbound provisioning audit logging).

Tags Hosting Environment > On-Premises; Product > PingFederate > PingFederate 8.0; Product > PingFederate > PingFederate 8.1; Product > PingFederate