Enabling the CEF formatted syslog appender

Steps

Uncomment the syslog failover appender references in the apiaudit, engineaudit, agentaudit, sidebandclientaudit, and sidebandaudit sections.

Example:

In the Audit log configuration section of the log4j2.xml file, go to the apiaudit logger configuration and uncomment the <AppenderRef ref="ApiAuditLogToCEF-Syslog-Failover"/> appender reference:
Code
   <Logger name="apiaudit" level="${sys:pa.log.level.apiaudit:-INFO}" additivity="false"> <AppenderRef ref="APIAuditLog-File"/>       <AppenderRef ref="ApiAuditLogToCEF-Syslog-Failover"/> </Logger>
Repeat this with the <AppenderRef ref="EngineAuditLogToCEF-Syslog-Failover"/>, <AppenderRef ref="AgentAuditLogToCEF-Syslog-Failover"/>, <AppenderRef ref="SidebandClientAuditLogToCEF-Syslog-Failover"/>, and <AppenderRef ref="SidebandAuditLogToCEF-Syslog-Failover"/> appender references.

Uncomment the Socket appender configurations in the Api Audit log : CEF Formatted syslog appender, Engine Audit log : CEF Formatted syslog appender, Agent Audit log : CEF Formatted syslog appender, SidebandClient Audit log : CEF Formatted syslog appender, and Sideband Audit log : CEF Formatted syslog appender sections.

Each Socket appender is followed by two related appenders, RollingFile and PingFailover. Together, they create a running audit-cef-syslog-failover.log file in the <PA_HOME>/log/pingaccess.log directory if CEF logging fails for any reason. If you uncomment the Socket appenders, make sure to uncomment the related appenders also.

Example:

In the Api Audit log : CEF Formatted syslog appender section, uncomment the ApiAuditLogToCEF-Syslog Socket appender configuration:

Code

<!--
<Socket name="ApiAuditLogToCEF-Syslog" host="{syslog.host}" port="{syslog.port}" protocol="{syslog.protocol}" ignoreExceptions="false">
   <PingSyslogLayout>
      <PatternLayout>
         <pattern>%escape{CEF}{CEF:0|Ping Identity|PingAccess|%X{AUDIT.paVersion}|%X{exchangeId}|API_AccessEvent|0|rt=%d{ISO8601} msg=%X{AUDIT.responseCode} duid=%X{AUDIT.subject} src=%X{AUDIT.client} requestMethod=%X{AUDIT.method} request=%X{AUDIT.requestUri} cs1Label=AuthenticationMechanism cs1=%X{AUDIT.authMech} cs2Label=RoundTripMS cs2=%X{AUDIT.roundTripMS} externalId=%X{AUDIT.trackingId} %n}</pattern>
      </PatternLayout>
   </PingSyslogLayout>
</Socket>

<RollingFile name="ApiAuditLogToCEF-Syslog-FILE"
fileName="${sys:pa.home}/log/pingaccess_api_audit_cef_syslog_failover.log"
filePattern="${sys:pa.home}/log/pingaccess_api_audit_cef_syslog_failover.%d{yyyy-MM-dd}.log"
ignoreExceptions="false">
   <PatternLayout>
      <pattern>%escape{CEF}{CEF:0|Ping Identity|PingAccess|%X{AUDIT.paVersion}|%X{exchangeId}|API_AccessEvent|0|rt=%d{ISO8601} msg=%X{AUDIT.responseCode} duid=%X{AUDIT.subject} src=%X{AUDIT.client} requestMethod=%X{AUDIT.method} request=%X{AUDIT.requestUri} cs1Label=AuthenticationMechanism cs1=%X{AUDIT.authMech} cs2Label=RoundTripMS cs2=%X{AUDIT.roundTripMS} externalId=%X{AUDIT.trackingId} %n}</pattern>
   </PatternLayout>
   <Policies>
      <TimeBasedTriggeringPolicy />
   </Policies>
</RollingFile>

<PingAccessFailover name="ApiAuditLogToCEF-Syslog-Failover" primary="ApiAuditLogToCEF-Syslog" error="File">
   <Failovers>
      <AppenderRef ref="ApiAuditLogToCEF-Syslog-FILE" />
   </Failovers>
</PingAccessFailover>
-->

Repeat this with the EngineAuditLogToCEF-Syslog, AgentAuditLogToCEF-Syslog, SidebandClientAuditLogToCEF-Syslog, and SidebandAuditLogToCEF-Syslog appenders.

In the ApiAuditToCEF-Syslog, EngineAuditToCEF-Syslog, AgentAuditToCEF-Syslog, SidebandClientAuditToCEF-Syslog, and SidebandAuditToCEF-Syslog Socket appenders, replace the following placeholder parameter values:

syslog.host

The URL of your syslog host server.

syslog.port

The port that your syslog host server uses.

syslog.protocol

The protocol that your syslog host server uses. Valid values are UDP or TCP.

Only the TCP protocol supports failover.
Save and close the file.