• Download and install Splunk.

Splunk is enterprise software that allows for monitoring, reporting, and analyzing consolidated log files. Splunk captures and indexes real-time data into a single searchable repository from which reports, graphs, and other data visualization can be generated.

The PingAccess Splunk App provides rich system monitoring and reporting, including:

  • Current transaction and system reports
  • Service reports such as a daily usage report and IdP and SP reports per connection
  • Trend reports such as weekly and monthly usage reports, and trend analysis

The application uses a specially formatted version of the audit logs, which are written to the PingAccess log directory when the setup steps described below are followed.

Note: The Splunk App for PingAccess is available separately. It requires enterprise-licensed (or trial) installation of the Splunk software and the Splunk Universal Forwarder, which is needed to collect data from the PingAccess Splunk audit logs. The application includes additional documentation on installation and available features. Download the free application from Splunkbase.splunk.com by searching for PingAccess.
Note: The PingAccess App for Splunk was designed to use the default Splunk log pattern configuration. If you have changed the output format of the Splunk rolling files, those changes can impact the functionality of the PingAccess App for Splunk.
  1. Set up your Splunk server.
    1. Enable a receiver to listen for data from the servers hosting PingAccess.

      For more information, see Splunk documentation.

    2. Install the Splunk App for PingAccess using the Splunk Add-on documentation.
  2. Configure PingAccess to output the three available Splunk audit logs: pingaccess_engine_audit_splunk.log, pingaccess_api_audit_splunk.log, and pingaccess_agent_audit_splunk.log. These logs output to the <PA_HOME>/log/ by default.
    1. Edit <PA_HOME>/conf/log4j2.xml.
    2. In the Audit Log Configuration section, edit the apiaudit, engineaudit, and agentaudit logger configurations to uncomment the Splunk AppenderRef:
      <!-- ======================= -->
      <!-- Audit log configuration -->
      <!-- ======================= -->
      <Logger name="apiaudit" level="INFO" additivity="false">
          <AppenderRef ref="APIAuditLog-File"/>
          <!--<AppenderRef ref="ApiAuditLog-Database-Failover"/>-->
          <!--<AppenderRef ref="ApiAuditLog-SQLServer-Database-Failover"/>-->
          <!--<AppenderRef ref="ApiAuditLog-PostgreSQL"/>-->
          <AppenderRef ref="ApiAudit2Splunk"/>
          <!--<AppenderRef ref="ApiAuditLog-HarFile"/>-->
      </Logger>
      <Logger name="engineaudit" level="INFO" additivity="false">
          <AppenderRef ref="EngineAuditLog-File"/>
          <!--<AppenderRef ref="EngineAuditLog-Database-Failover"/>-->
          <!--<AppenderRef ref="EngineAuditLog-SQLServer-Database-Failover"/>-->
          <!--<AppenderRef ref="EngineAuditLog-PostgreSQL"/>-->
          <AppenderRef ref="EngineAudit2Splunk"/>
          <!--<AppenderRef ref="EngineAuditLog-HarFile"/>-->
      </Logger>
      <Logger name="agentaudit" level="INFO" additivity="false">
          <AppenderRef ref="AgentAuditLog-File"/>
          <!--<AppenderRef ref="AgentAuditLog-Database-Failover"/>-->
          <!--<AppenderRef ref="AgentAuditLog-SQLServer-Database-Failover"/>-->
          <!--<AppenderRef ref="AgentAuditLog-PostgreSQL"/>-->
          <AppenderRef ref="AgentAudit2Splunk"/>
          <!--<AppenderRef ref="AgentAuditLog-HarFile"/>-->
      </Logger>
    3. Uncomment the RollingFile appender references for the ApiAudit2Splunk, EngineAudit2Splunk, and AgentAudit2Splunk RollingFile elements.
      This is the default configuration for the ApiAudit2Splunk file:
      <!--
      <RollingFile name="ApiAudit2Splunk"
                   fileName="${sys:pa.home}/log/pingaccess_api_audit_splunk.log"
                   filePattern="${sys:pa.home}/log/pingaccess_api_audit_splunk.%d{yyyy-MM-dd}.log"
                   ignoreExceptions="false">
          <PatternLayout>
              <pattern>%d{ISO8601} exchangeId="%X{exchangeId}" trackingId="%X{AUDIT.trackingId}" subject="%X{AUDIT.subject}" authMech="%X{AUDIT.authMech}" client="%X{AUDIT.client}" method="%X{AUDIT.method}" requestUri="%X{AUDIT.requestUri}" responseCode="%X{AUDIT.responseCode}" responder="%X{AUDIT.responder}" engineHostname="%X{AUDIT.host}" %n</pattern>
          </PatternLayout>
          <Policies>
              <TimeBasedTriggeringPolicy />
          </Policies>
      </RollingFile>
      -->

      This is the updated configuration for the ApiAudit2Splunk file, with the RollingFile uncommented and no other changes:

      <RollingFile name="ApiAudit2Splunk"
                   fileName="${sys:pa.home}/log/pingaccess_api_audit_splunk.log"
                   filePattern="${sys:pa.home}/log/pingaccess_api_audit_splunk.%d{yyyy-MM-dd}.log"
                   ignoreExceptions="false">
          <PatternLayout>
              <pattern>%d{ISO8601} exchangeId="%X{exchangeId}" trackingId="%X{AUDIT.trackingId}" subject="%X{AUDIT.subject}" authMech="%X{AUDIT.authMech}" client="%X{AUDIT.client}" method="%X{AUDIT.method}" requestUri="%X{AUDIT.requestUri}" responseCode="%X{AUDIT.responseCode}" responder="%X{AUDIT.responder}" engineHostname="%X{AUDIT.host}" %n</pattern>
          </PatternLayout>
          <Policies>
              <TimeBasedTriggeringPolicy />
          </Policies>
      </RollingFile>
  3. Set up Splunk Universal Forwarder.
    1. Download the Splunk Universal Forwarder from Splunk and install it on the PingAccess server.
    2. Configure the Splunk Universal Forwarder to monitor the three Splunk log files (pingaccess_engine_audit_splunk.log, pingaccess_api_audit_splunk.log, and pingaccess_agent_audit_splunk.log) and forward the data to the receiver you configured.

    For detailed installation and configuration instructions, see Splunk documentation.