--- title: Writing audit logs for Splunk description: Ping Identity provides a custom Splunk app for PingAccess to process audit logs generated by a PingAccess deployment. component: pingaccess version: 9.0 page_id: pingaccess:configuring_and_customizing_pingaccess:pa_writing_audit_logs_for_splunk canonical_url: https://docs.pingidentity.com/pingaccess/9.0/configuring_and_customizing_pingaccess/pa_writing_audit_logs_for_splunk.html revdate: May 8, 2024 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps example: Example: example-2: Example: --- # Writing audit logs for Splunk Ping Identity provides a custom Splunk app for PingAccess to process audit logs generated by a PingAccess deployment. ## Before you begin * Go to the [Splunk website](https://www.splunk.com/) and download Splunk. * Install Splunk. ## About this task Splunk is enterprise software that allows for monitoring, reporting, and analyzing consolidated log files. Splunk captures and indexes real-time data into a single searchable repository that you can generate reports, graphs, and other data visualization from. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The PingAccess app for Splunk is available separately. It requires enterprise-licensed (or trial) installation of the Splunk software and the Splunk Universal Forwarder, which collects data from the PingAccess Splunk audit logs. The application includes additional documentation on installation and available features. | The PingAccess app for Splunk provides rich system monitoring and reporting, including: * Current transaction and system reports * Service reports, such as a daily usage report and IdP and SP reports per connection * Trend reports, such as weekly and monthly usage reports, and trend analysis The application uses a specially formatted version of the audit logs. To write these specially formatted logs to the PingAccess log directory, perform the following steps. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The PingAccess app for Splunk was designed to use the default Splunk log pattern configuration. If you have changed the output format of the Splunk rolling files, those changes could impact the functionality of the PingAccess app for Splunk. | ## Steps 1. Set up your Splunk server. > **Collapse: Sub Steps** > > 1. Enable a receiver to listen for data from the servers hosting PingAccess. > > For more information, see the [Splunk documentation](https://docs.splunk.com/Documentation/Forwarder/Latest/Forwarder/Abouttheuniversalforwarder). > > 2. Install the PingAccess app for Splunk. > > | | | > | - | --------------------------------------------------------------------------------------------------------------------- | > | | To download the free application from [Splunkbase.splunk.com](https://splunkbase.splunk.com/), search for PingAccess. | > > For installation instructions, see the [Splunk Add-on documentation](https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall). 2. Configure PingAccess to output the following available Splunk audit logs: * `pingaccess_engine_audit_splunk.log` * `pingaccess_api_audit_splunk.log` * `pingaccess_agent_audit_splunk.log` | | | | - | ------------------------------------------------- | | | These logs output to `/log/` by default. | > **Collapse: Sub Steps** > > 1. Edit the `/conf/log4j2.xml` file. > > 2. In the `Audit Log Configuration` section, edit the `apiaudit`, `engineaudit`, and `agentaudit` logger configurations to uncomment the Splunk `AppenderRef`. > > > **Collapse: Example** > > > > ### Example: > > > > ``` > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ``` > > 3. Uncomment the `RollingFile` appender references for the `ApiAudit2Splunk`, `EngineAudit2Splunk`, and `AgentAudit2Splunk` `RollingFile` elements. > > > **Collapse: Example** > > > > ### Example: > > > > This is the default configuration for the `ApiAudit2Splunk` file: > > > > ``` > > > > ``` > > > > This is the updated configuration for the `ApiAudit2Splunk` file, with the `RollingFile` uncommented and no other changes: > > > > ``` > > > fileName="${sys:pa.home}/log/pingaccess_api_audit_splunk.log" > > filePattern="${sys:pa.home}/log/pingaccess_api_audit_splunk.%d{yyyy-MM-dd}.log" > > ignoreExceptions="false"> > > > > %d{ISO8601} exchangeId="%X{exchangeId}" trackingId="%X{AUDIT.trackingId}" subject="%X{AUDIT.subject}" authMech="%X{AUDIT.authMech}" client="%X{AUDIT.client}" method="%X{AUDIT.method}" requestUri="%X{AUDIT.requestUri}" responseCode="%X{AUDIT.responseCode}" responder="%X{AUDIT.responder}" engineHostname="%X{AUDIT.host}" %n > > > > > > > > > > > > ``` 3. Set up the Splunk Universal Forwarder. > **Collapse: Sub Steps** > > 1. Download the Splunk Universal Forwarder from [Splunk](https://www.splunk.com/en_us/download/universal-forwarder.html) and install it on the PingAccess server. > > 2. Configure the Splunk Universal Forwarder to monitor the three Splunk log files (`pingaccess_engine_audit_splunk.log`, `pingaccess_api_audit_splunk.log`, and `pingaccess_agent_audit_splunk.log`) and forward the data to the receiver you configured. > > For detailed installation and configuration instructions, see the [Splunk documentation](https://docs.splunk.com/Documentation/Forwarder/Latest/Forwarder/Abouttheuniversalforwarder).