--- title: Writing logs to databases description: Enable database logging for the API, engine, and agent audit logs in conf/log4j2.db.properties. component: pingaccess version: 9.0 page_id: pingaccess:configuring_and_customizing_pingaccess:pa_writing_logs_to_databases canonical_url: https://docs.pingidentity.com/pingaccess/9.0/configuring_and_customizing_pingaccess/pa_writing_logs_to_databases.html revdate: June 26, 2023 section_ids: about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: --- # Writing logs to databases Enable database logging for the API, engine, and agent audit logs in `conf/log4j2.db.properties`. ## About this task PingAccess supports logging to Oracle, SQL Server, and PostgreSQL databases. Scripts are provided in `conf/log4j/sql-scripts` to create the necessary tables. ## Steps 1. Ensure that your database driver JAR file is installed in the `/deploy` directory. 2. After installing the driver, restart PingAccess. 3. In the `conf/log4j2.xml` file, uncomment one or more of the preset appender configurations listed in the following table. | Database | Configuration | | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Oracle | * For administrative application programming interface (API) *(tooltip: \

A specification of interactions available for building software to access an application or service.\

)* audit logging, uncomment the `` element with the `name="ApiAuditLog-Database"` attribute specified, along with the following `` and `` elements. * For engine audit logging, uncomment the `` element with the `name="EngineAuditLog-Database"` attribute specified, along with the following `` and `` elements. * For agent audit logging, uncomment the `` element with the `name="AgentAuditLog-Database"` attribute specified, along with the following `` and `` elements. * For sideband client audit logging, uncomment the `` element with the `name="SidebandClientAuditLog-Database"` attribute specified, along with the following `` and `` elements. * For sideband end-user audit logging, uncomment the `` element with the `name="SidebandAuditLog-Database"` attribute specified, along with the following `` and `` elements. | | SQL Server | - For administrative API audit logging, uncomment the `` element with the `name="ApiAuditLog-SQLServer-Database"` attribute specified, along with the following `` and `` elements. - For engine audit logging, uncomment the `` element with the `name="EngineAuditLog-SQLServer-Database"` attribute specified, along with the following `` and `` elements. - For agent audit logging, uncomment the `` element with the `name="AgentAuditLog-SQLServer-Database"` attribute specified, along with the following `` and `` elements. - For sideband client audit logging, uncomment the `` element with the `name="SidebandClientAuditLog-SQLServer-Database"` attribute specified, along with the following `` and `` elements. - For sideband end-user audit logging, uncomment the `` element with the `name="SidebandAuditLog-SQLServer-Database"` attribute specified, along with the following `` and `` elements. | | PostgreSQL | * For administrative API audit logging, uncomment the `` element with the `name="ApiAuditLog-PostgreSQL-Database"` attribute specified, along with the following `` and `` elements. * For engine audit logging, uncomment the `` element with the `name="EngineAuditLog-PostgreSQL-Database"` attribute specified, along with the following `` and `` elements. * For agent audit logging, uncomment the `` element with the `name="AgentAuditLog-PostgreSQL-Database"` attribute specified, along with the following `` and `` elements. * For sideband client audit logging, uncomment the `` element with the `name="SidebandClientAuditLog-PostgreSQL-Database"` attribute specified, along with the following `` and `` elements. * For sideband end-user audit logging, uncomment the `` element with the `name="SidebandAuditLog-PostgreSQL-Database"` attribute specified, along with the following `` and `` elements. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `` element is used to define how PingAccess logging fails over if a connection to the primary database isn't accessible. Use the `retryIntervalSeconds` attribute to specify the number of seconds that must pass before retrying the primary Java database connectivity (JDBC) *(tooltip: \

A Java API that allows Java programs to interact with databases.\

)* appender. | 4. In the `conf/log4j2.db.properties` file, replace the placeholder parameter values for each enabled appender with valid values to provide access to the database. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can obfuscate the password used to access the database by running either `obfuscate.sh` or `obfuscate.bat`, located in `/bin`. Use the database password as an argument, then copy the output into the password configuration property for the appender in `/conf/log4j2.db.properties`. | 5. In the `conf/log4j2.xml` file, uncomment the `` elements in each respective `` section, as shown in the following examples. > **Collapse: Example** > > ### Example: > > Oracle > > ``` > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ``` > **Collapse: Example** > > ### Example: > > SQL Server > > ``` > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ``` > **Collapse: Example** > > ### Example: > > PostgreSQL > > ``` > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ``` 6. Create the database tables. Scripts to create database tables are located in `conf/log4j/sql-scripts`. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The scripts are written to handle the default list of elements for the relevant database log appender. Any changes to the list require corresponding changes to the SQL table creation script, or to the table itself if it already exists. For more information on working with these scripts, see the Oracle, PostgreSQL, or MS SQL Server documentation. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For PostgreSQL database scripts, use of the default `public` schema isn't recommended. To run the scripts against a different schema, choose one of the following options:- Prepend the schema before the table name. For example, `api_audit_log` would become `my_schema.api_audit_log`. - Run the script using psql and specify an options parameter to define the schema. For example: ``` psql postgresql://@:5432/?options=--search_path= -f api-audit-log-postgresql.sql ``` |