Parsing HAR-formatted audit log files
Reformat a snapshot instance of a HAR-formatted audit log file so that you can view it or parse it with a HTTP Archive (HAR) reader.
About this task
|
Before sharing any HAR data with a third-party application, carefully review the third-party application’s permissions and sanitize any potentially sensitive information out of the log files.
|
Steps
-
Download the jq command-line tool from https://stedolan.github.io/jq/download/.
Select a jq version for the operating system that you deployed your PingAccess environment on.
For more information on PingAccess operating system requirements, see System requirements.
-
Create a file called
pa-har-merge.jq.Example:
{ log: { version: .[0].log.version, creator: .[0].log.creator, entries: (reduce .[] as $entry ([]; . + ($entry.log.entries | map(. + { _metadata: $entry.log._metadata })))) } }For examples of how to parse the PingAccess HAR-formatted log files with
pa-merge-har.jq, see the following commands. These examples assume that:-
You’ve set
PA_HOMEandPA_HAR_MERGE_HOMEas environment variables that define the base paths to the PingAccess instance and thepa-merge-har.jqfile respectively. -
You’re attempting to parse the HAR-formatted API audit log file.
To filter requests based on request URL, run the command:
cat $PA_HOME/log/pingaccess_api_audit_har.log | jq -s -f $PA_HAR_MERGE_HOME/pa-har-merge.jq | jq '.log.entries = [ .log.entries[] | select(.request.url != "/pa-admin-api/v3/adminSessionInfo/checkOnly") ]
To output the HAR-formatted log file into a file format that’s usable with a standard HAR viewer, run the command:
cat $PA_HOME/log/pingaccess_api_audit_har.log | jq -s -f $PA_HAR_MERGE_HOME/pa-har-merge.jq > log.har
View the output
log.harfile with a standard HAR viewer, such as browser dev tools or the HTTP Archive Viewer. -