PingAccess

Parsing HAR-formatted audit log files

Reformat a snapshot instance of a HAR-formatted audit log file so that you can view it or parse it with a HTTP Archive (HAR) reader.

About this task

Before sharing any HAR data with a third-party application, carefully review the third-party application’s permissions and sanitize any potentially sensitive information out of the log files.

Steps

  1. Download the jq command-line tool from https://stedolan.github.io/jq/download/.

    Select a jq version for the operating system that you deployed your PingAccess environment on.

    For more information on PingAccess operating system requirements, see System requirements.

  2. Create a file called pa-har-merge.jq.

    Example:

    {
log: {
  version: .[0].log.version,
  creator: .[0].log.creator,
  entries: (reduce .[] as $entry ([]; . + ($entry.log.entries | map(. + { _metadata: $entry.log._metadata }))))
  }
}

    For examples of how to parse the PingAccess HAR-formatted log files with pa-merge-har.jq, see the following commands. These examples assume that:

    • You’ve set PA_HOME and PA_HAR_MERGE_HOME as environment variables that define the base paths to the PingAccess instance and the pa-merge-har.jq file respectively.

    • You’re attempting to parse the HAR-formatted API audit log file.

    To filter requests based on request URL, run the command:

    cat $PA_HOME/log/pingaccess_api_audit_har.log | jq -s -f $PA_HAR_MERGE_HOME/pa-har-merge.jq | jq '.log.entries = [ .log.entries[] | select(.request.url != "/pa-admin-api/v3/adminSessionInfo/checkOnly") ]

    To output the HAR-formatted log file into a file format that’s usable with a standard HAR viewer, run the command:

    cat $PA_HOME/log/pingaccess_api_audit_har.log | jq -s -f $PA_HAR_MERGE_HOME/pa-har-merge.jq > log.har

    View the output log.har file with a standard HAR viewer, such as browser dev tools or the HTTP Archive Viewer.