PingAccess

Enabling the CEF format file

Steps

  1. Uncomment the CEF file appender references in the apiaudit, engineaudit, agentaudit, sidebandclientaudit, and sidebandaudit logger configurations.

    Example:

    In the Audit log configuration section of the log4j2.xml file, go to the apiaudit logger configuration and uncomment the ApiAuditLogToCEF-FILE appender reference:

    Code 
    <!-- ======================= -->
<!-- Audit log configuration -->
<!-- ======================= -->
<Logger name="apiaudit" level="${sys:pa.log.level.apiaudit:-INFO}" additivity="false">
   <AppenderRef ref="APIAuditLog-File"/>
   <!--<AppenderRef ref="ApiAuditLog-Database-Failover"/>-->
   <!--<AppenderRef ref="ApiAuditLog-SQLServer-Database-Failover"/>-->
   <!--<AppenderRef ref="ApiAuditLog-PostgreSQL"/>-->
   <!--<AppenderRef ref="ApiAudit2Splunk"/>-->
   <!--<AppenderRef ref="ApiAuditLog-HarFile"/>-->
    <AppenderRef ref="ApiAuditLogToCEF-File"/>
   <!--<AppenderRef ref="ApiAuditLogToCEF-Syslog-Failover"/>-->
</Logger>

    Repeat this with the EngineAuditLogToCEF-FILE, AgentAuditLogToCEF-FILE, SidebandClientAuditLogToCEF-FILE, and SidebandAuditLogToCEF-FILE appender references.

  2. Uncomment the RollingFile preset appender configurations in the Api Audit log : CEF format file, Engine Audit log : CEF format file, Agent Audit log : CEF format file, SidebandClient Audit log : CEF format file, and Sideband Audit log : CEF format file sections.

    Example:

    In the Api Audit log : CEF format file section, uncomment the ApiAuditLogToCEF-FILE RollingFile preset appender configuration:

    Code 
    <RollingFile name="ApiAuditLogToCEF-File"
             fileName="${sys:pa.home}/log/pingaccess_api_audit_cef.log"
             filePattern="${sys:pa.home}/log/pingaccess_api_audit_cef.%d{yyyy-MM-dd}.log" >
   <PatternLayout>
      <pattern>%escape{CEF}{CEF:0|Ping Identity|PingAccess|%X{AUDIT.paVersion}|%X{exchangeId}|API_AccessEvent|0|rt=%d{ISO8601} msg=%X{AUDIT.responseCode} duid=%X{AUDIT.subject} src=%X{AUDIT.client} requestMethod=%X{AUDIT.method} request=%X{AUDIT.requestUri} cs1Label=AuthenticationMechanism cs1=%X{AUDIT.authMech} cs2Label=RoundTripMS cs2=%X{AUDIT.roundTripMS} externalId=%X{AUDIT.trackingId} %n}</pattern>
   </PatternLayout>
   <Policies>
<TimeBasedTriggeringPolicy />
   </Policies>
</RollingFile>

    Repeat this with the EngineAuditLogToCEF-FILE, AgentAuditLogToCEF-FILE, SidebandClientAuditLogToCEF-FILE, and SidebandAuditLogToCEF-FILE appender configurations.

  3. Save and close the file.