Security audit logging

PingAccess audit logs record a select subset of transaction log information at runtime plus additional details meant to facilitate security auditing and regulatory compliance.

You can find the audit logs in <PA_HOME>/log/. The audit log configuration table describes the elements that the audit logs record. You can configure these elements in conf/log4j2.xml.

Because log files can be viewed or modified using a variety of common applications, it’s possible for log files to be manipulated to include untrusted or malicious data. You should take appropriate steps to secure your log files. Do not open them in applications that could allow for data execution, such as internet browsers or Microsoft Office products. Instead, open your log files in a common, lightweight text editor.

PingAccess generates these audit logs:

pingaccess_engine_audit.log: Records transactions of configured resources. Additionally, the log records transaction details when PingAccess sends requests to PingFederate. For example, Security Token Service (STS), OAuth 2.0, and JSON Web Signature (JWS) requests.
pingaccess_api_audit.log: Records PingAccess administrative application programming interface (API) transactions. These transactions represent activity in the PingAccess administrative console. This log also records transaction activity if you’re using scripts to configure PingAccess.
pingaccess_agent_audit.log: Records transactions between PingAccess agents and the PingAccess engine.
pingaccess_sideband_client_audit.log: Records transactions sent to and from the sideband client integration.
pingaccess_sideband_audit.log: Records the end-user transactions that the sideband client request captures.

Audit log configuration

Element Description

%d

Transaction time.

exchangeId

Identifies the ID for a specific request-response pair.

AUDIT.applicationID

Specifies the ID of the requested application.

AUDIT.applicationName

Specifies the name of the requested application.

AUDIT.resourceID

Specifies the ID of the requested resource.

AUDIT.resourceName

Specifies the name of the requested resource.

AUDIT.pathPrefix

Specifies the path prefix of the requested application or resource.

AUDIT.pathPrefixType

Specifies the pattern type of the path prefix, Wildcard or Regex.

AUDIT.authMech

The mechanism used for authentication:

Engine Auditing: Cookie (WAM session), OAuth, unknown (for example, pass-through or static assets). Pass-through assets are resources with no policies or web session configured.
Admin Auditing: Basic, OAuth, Cookie, unknown(unknown displays only in an authentication failure).

AUDIT.client

The Internet Protocol (IP) address of the requesting client.

AUDIT.failedRuleName

The name of the rule that failed. If there was no rule failure, this field will be blank.

This element is applicable only to the pingaccess_engine_audit.log.

AUDIT.failedRuleType

The type of rule that failed. If there was no rule failure, this field will be blank.

This element is applicable only to the pingaccess_engine_audit.log.

AUDIT.failedRuleClass

The Java class of the rule that failed. If there was no rule failure, this field will be blank.

This element is applicable only to the pingaccess_engine_audit.log.

AUDIT.failedRuleSetName

The name of the containing rule set that failed. If there was no rule failure, this field will be blank.

This element is applicable only to the pingaccess_engine_audit.log.

AUDIT.host

The PingAccess host name or IP address.

AUDIT.targetHost

The backend target that processed the request and generated a response to the PingAccess engine.

This variable is unset when PingAccess generated the response directly.

AUDIT.method

The HTTP method of the request. For example, GET.

AUDIT.resource

The name of the resource used to fulfill the request.

This element is applicable only to the pingaccess_engine_audit.log.

AUDIT.responseCode

The HTTP status code of the response. For example, 200.

AUDIT.requestUri

The request Uniform Resource Identifier (URI) portion of the request. For example, /foo/bar.

AUDIT.subject

The subject of the transaction.

AUDIT.trackingId

The PingFederate tracking ID. You can use this element to help correlate audit information in the PingAccess audit log with information recorded in the PingFederate audit log.

This value depends on whether the application type is Web or API.

If the application type is Web, the value is formatted as tid:<Session_Identifier>. The <Session_Identifier> can be used by the PingFederate Session Revocation API to revoke the session without disabling the user in the identity store.

If the application type is API, the value is formatted as atid:<Hash>. The <Hash> value dervies from the OAuth Access token for the session, and only serves as an identifier; it can’t be used for session revocation.

AUDIT.reqReceivedMillisec

The time in milliseconds since 1970 that a client request was first received.

AUDIT.reqSentMillisec

The time in milliseconds since 1970 that the agent or engine sent a backchannel or proxy request.

AUDIT.respReceivedMillisec

The time in milliseconds since 1970 that the agent or engine received a response from a backchannel call or proxy request.

AUDIT.respSentMillisec

The time in milliseconds since 1970 that a response was sent back to the client.

AUDIT.roundTripMS

The respSentMillisec time minus the reqReceivedMillisec time.

This represents the total number of milliseconds that it took PingAccess to respond to a client’s request, including the proxyRoundTripMS.

AUDIT.proxyRoundTripMS

The respReceivedMillisec time minus the reqSentMillisec time. This represents the total number of milliseconds that PingAccess was waiting for another entity to respond to a backchannel call or proxy request.

AUDIT.siteUnavailableInfo

If a site is unavailable, this is reason why the last attempted site target is unavailable.

AUDIT.agentName

The name of the agent.

AUDIT.responder

The component that generated the response. Valid values are PingAccess, PingOne, Site, Third Party Service, OpenID Provider, and Authorization Server.

The PingOne responder type refers only to the PingOne Protect integration. When you’re using PingOne as a token provider, PingAccess labels backchannel communications as either OpenID Provider or Authorization Server, depending on the context of the transaction.

AUDIT.clientCertSerialNum

The serial number of the client certificate.

AUDIT.clientCertSubjectDn

The subject of the client certificate as an X.500 domain name.

AUDIT.clientCertIssuerDn

The issuer of the client certificate as an X.500 domain name.

AUDIT.sidebandName

The name of the requesting sideband client.

AUDIT.sidebandDecision

The policy decision returned in response to the sideband client request. Valid values are accept and reject.

agent{a-header-value-key}

The vnd-pi-agent header value for a given key. This represents the header value that an agent sends to PingAccess. Well-known keys are:

v: The version of the agent that’s making the request.
h: The host name of the server where the agent resides.
t: The type of agent or the type of platform where the agent resides.

This information isn’t sent by default. For more information about logging these details, see Agent inventory logging.

appRequestHeader{a-header-name}

The HTTP request header value for the given HTTP request header name. Represents the header value that PingAccess sends to the backend site.

appResponseHeader{a-header-name}

The HTTP response header value for the given HTTP request header name. Represents the header value that the application sent PingAccess.

clientRequestHeader{a-header-name}

The HTTP request header value for the given HTTP request header name. Represents the header value that the client sent PingAccess.

clientResponseHeader{a-header-name}

The HTTP response header value for the given HTTP request header name. Represents the header value that PingAccess returned to the client.

To get information about the timing for backchannel calls, such as the OpenID Connect (OIDC) UserInfo endpoint call, use the exchangeID property to match related log entries and the AUDIT.roundTripMS and AUDIT.proxyroundTripMS properties to view the timing.