Security audit logging
PingAccess audit logs record a select subset of transaction log information at runtime plus additional details meant to facilitate security auditing and regulatory compliance.
You can find the audit logs in <PA_HOME>/log/
. The audit log configuration table describes the elements that the audit logs record. You can configure these elements in conf/log4j2.xml
.
Because log files can be viewed or modified using a variety of common applications, it’s possible for log files to be manipulated to include untrusted or malicious data. You should take appropriate steps to secure your log files. Do not open them in applications that could allow for data execution, such as internet browsers or Microsoft Office products. Instead, open your log files in a common, lightweight text editor. |
PingAccess generates these audit logs:
pingaccess_engine_audit.log
-
Records transactions of configured resources. Additionally, the log records transaction details when PingAccess sends requests to PingFederate. For example, Security Token Service (STS), OAuth 2.0, and JSON Web Signature (JWS) requests.
pingaccess_api_audit.log
-
Records PingAccess administrative application programming interface (API) transactions. These transactions represent activity in the PingAccess administrative console. This log also records transaction activity if you’re using scripts to configure PingAccess.
pingaccess_agent_audit.log
-
Records transactions between PingAccess agents and the PingAccess engine.
pingaccess_sideband_client_audit.log
-
Records transactions sent to and from the sideband client integration.
pingaccess_sideband_audit.log
-
Records the end-user transactions that the sideband client request captures.
Audit log configuration
Element | Description | ||
---|---|---|---|
|
Transaction time. |
||
|
Identifies the ID for a specific request-response pair. |
||
|
Specifies the ID of the requested application. |
||
|
Specifies the name of the requested application. |
||
|
Specifies the ID of the requested resource. |
||
|
Specifies the name of the requested resource. |
||
|
Specifies the path prefix of the requested application or resource. |
||
|
Specifies the pattern type of the path prefix, |
||
|
The mechanism used for authentication:
|
||
|
The Internet Protocol (IP) address of the requesting client. |
||
|
The name of the rule that failed. If there was no rule failure, this field will be blank.
|
||
|
The type of rule that failed. If there was no rule failure, this field will be blank.
|
||
|
The Java class of the rule that failed. If there was no rule failure, this field will be blank.
|
||
|
The name of the containing rule set that failed. If there was no rule failure, this field will be blank.
|
||
|
The PingAccess host name or IP address. |
||
|
The backend target that processed the request and generated a response to the PingAccess engine. This variable is unset when PingAccess generated the response directly. |
||
|
The HTTP method of the request. For example, |
||
|
The name of the resource used to fulfill the request.
|
||
|
The HTTP status code of the response. For example, |
||
|
The request Uniform Resource Identifier (URI) portion of the request. For example, |
||
|
The subject of the transaction. |
||
|
The PingFederate tracking ID. You can use this element to help correlate audit information in the PingAccess audit log with information recorded in the PingFederate audit log. This value depends on whether the application type is If the application type is If the application type is |
||
|
The time in milliseconds since 1970 that a client request was first received. |
||
|
The time in milliseconds since 1970 that the agent or engine sent a backchannel or proxy request. |
||
|
The time in milliseconds since 1970 that the agent or engine received a response from a backchannel call or proxy request. |
||
|
The time in milliseconds since 1970 that a response was sent back to the client. |
||
|
The This represents the total number of milliseconds that it took PingAccess to respond to a client’s request, including the |
||
|
The |
||
|
If a site is unavailable, this is reason why the last attempted site target is unavailable. |
||
|
The name of the agent. |
||
|
The component that generated the response. Valid values are
|
||
|
The serial number of the client certificate. |
||
|
The subject of the client certificate as an X.500 domain name. |
||
|
The issuer of the client certificate as an X.500 domain name. |
||
|
The name of the requesting sideband client. |
||
|
The policy decision returned in response to the sideband client request. Valid values are |
||
|
The
This information isn’t sent by default. For more information about logging these details, see Agent inventory logging. |
||
|
The HTTP request header value for the given HTTP request header name. Represents the header value that PingAccess sends to the backend site. |
||
|
The HTTP response header value for the given HTTP request header name. Represents the header value that the application sent PingAccess. |
||
|
The HTTP request header value for the given HTTP request header name. Represents the header value that the client sent PingAccess. |
||
|
The HTTP response header value for the given HTTP request header name. Represents the header value that PingAccess returned to the client. |
To get information about the timing for backchannel calls, such as the OpenID Connect (OIDC) |