Writing logs to databases
Enable database logging for the API, engine, and agent audit logs in conf/log4j2.db.properties
.
About this task
PingAccess supports logging to Oracle, SQL Server, and PostgreSQL databases. Scripts are provided in conf/log4j/sql-scripts
to create the necessary tables.
Steps
-
Ensure that your database driver JAR file is installed in the
<PA_HOME>/deploy
directory. -
After installing the driver, restart PingAccess.
-
In the
conf/log4j2.xml
file, uncomment one or more of the preset appender configurations listed in the following table.Database Configuration Oracle
-
For administrative application programming interface (API) audit logging, uncomment the
<JDBC>
element with thename="ApiAuditLog-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For engine audit logging, uncomment the
<JDBC>
element with thename="EngineAuditLog-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For agent audit logging, uncomment the
<JDBC>
element with thename="AgentAuditLog-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For sideband client audit logging, uncomment the
<JDBC>
element with thename="SidebandClientAuditLog-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For sideband end-user audit logging, uncomment the
<JDBC>
element with thename="SidebandAuditLog-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements.
SQL Server
-
For administrative API audit logging, uncomment the
<JDBC>
element with thename="ApiAuditLog-SQLServer-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For engine audit logging, uncomment the
<JDBC>
element with thename="EngineAuditLog-SQLServer-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For agent audit logging, uncomment the
<JDBC>
element with thename="AgentAuditLog-SQLServer-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For sideband client audit logging, uncomment the
<JDBC>
element with thename="SidebandClientAuditLog-SQLServer-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For sideband end-user audit logging, uncomment the
<JDBC>
element with thename="SidebandAuditLog-SQLServer-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements.
PostgreSQL
-
For administrative API audit logging, uncomment the
<JDBC>
element with thename="ApiAuditLog-PostgreSQL-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For engine audit logging, uncomment the
<JDBC>
element with thename="EngineAuditLog-PostgreSQL-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For agent audit logging, uncomment the
<JDBC>
element with thename="AgentAuditLog-PostgreSQL-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For sideband client audit logging, uncomment the
<JDBC>
element with thename="SidebandClientAuditLog-PostgreSQL-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements. -
For sideband end-user audit logging, uncomment the
<JDBC>
element with thename="SidebandAuditLog-PostgreSQL-Database"
attribute specified, along with the following<RollingFile>
and<PingAccessFailover>
elements.
The
<PingAccessFailover>
element is used to define how PingAccess logging fails over if a connection to the primary database isn’t accessible. Use theretryIntervalSeconds
attribute to specify the number of seconds that must pass before retrying the primary Java database connectivity (JDBC) appender. -
-
In the
conf/log4j2.db.properties
file, replace the placeholder parameter values for each enabled appender with valid values to provide access to the database.You can obfuscate the password used to access the database by running either
obfuscate.sh
orobfuscate.bat
, located in<PA_HOME>/bin
. Use the database password as an argument, then copy the output into the password configuration property for the appender in<PA_HOME>/conf/log4j2.db.properties
. -
In the
conf/log4j2.xml
file, uncomment the<AppenderRef>
elements in each respective<Logger>
section, as shown in the following examples.Example
Example:
Oracle
<!-- Audit Log Configuration--> <Logger name="apiaudit" level="INFO" additivity="false"> <AppenderRef ref="APIAuditLog-File"/> <AppenderRef ref="ApiAuditLog-Database-Failover"/> <!--<AppenderRef ref="ApiAuditLog-SQLServer-Database-Failover"/>--> <!--<AppenderRef ref="ApiAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="ApiAudit2Splunk"/>--> <!--<AppenderRef ref="ApiAuditLog-HarFile"/>--> </Logger> <Logger name="engineaudit" level="INFO" additivity="false"> <AppenderRef ref="EngineAuditLog-File"/> <AppenderRef ref="EngineAuditLog-Database-Failover"/> <!--<AppenderRef ref="EngineAuditLog-SQLServer-Database-Failover"/>--> <!--<AppenderRef ref="EngineAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="EngineAudit2Splunk"/>--> <!--<AppenderRef ref="EngineAuditLog-HarFile"/>--> </Logger> <Logger name="agentaudit" level="INFO" additivity="false"> <AppenderRef ref="AgentAuditLog-File"/> <AppenderRef ref="AgentAuditLog-Database-Failover"/> <!--<AppenderRef ref="AgentAuditLog-SQLServer-Database-Failover"/>--> <!--<AppenderRef ref="AgentAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="AgentAudit2Splunk"/>--> <!--<AppenderRef ref="AgentAuditLog-HarFile"/>--> </Logger> <Logger name="sidebandclientaudit" level="INFO" additivity="false"> <AppenderRef ref="SidebandClientAuditLog-File"/> <AppenderRef ref="SidebandClientAuditLog-Database-Failover"/> <!--<AppenderRef ref="SidebandClientAuditLog-SQLServer-Database-Failover"/>--> <!--<AppenderRef ref="SidebandClientAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="SidebandClientAudit2Splunk"/>--> <!--<AppenderRef ref="SidebandClientAuditLog-HarFile"/>--> </Logger> <Logger name="sidebandaudit" level="INFO" additivity="false"> <AppenderRef ref="SidebandAuditLog-File"/> <AppenderRef ref="SidebandAuditLog-Database-Failover"/> <!--<AppenderRef ref="SidebandAuditLog-SQLServer-Database-Failover"/>--> <!--<AppenderRef ref="SidebandAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="SidebandAudit2Splunk"/>--> <!--<AppenderRef ref="SidebandAuditLog-HarFile"/>--> </Logger>
Example
Example:
SQL Server
<!-- Audit Log Configuration--> <Logger name="apiaudit" level="INFO" additivity="false"> <AppenderRef ref="APIAuditLog-File"/> <!--<AppenderRef ref="ApiAuditLog-Database-Failover"/>--> <AppenderRef ref="ApiAuditLog-SQLServer-Database-Failover"/> <!--<AppenderRef ref="ApiAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="ApiAudit2Splunk"/>--> <!--<AppenderRef ref="ApiAuditLog-HarFile"/>--> </Logger> <Logger name="engineaudit" level="INFO" additivity="false"> <AppenderRef ref="EngineAuditLog-File"/> <!--<AppenderRef ref="EngineAuditLog-Database-Failover"/>--> <AppenderRef ref="EngineAuditLog-SQLServer-Database-Failover"/> <!--<AppenderRef ref="EngineAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="EngineAudit2Splunk"/>--> <!--<AppenderRef ref="EngineAuditLog-HarFile"/>--> </Logger> <Logger name="agentaudit" level="INFO" additivity="false"> <AppenderRef ref="AgentAuditLog-File"/> <!--<AppenderRef ref="AgentAuditLog-Database-Failover"/>--> <AppenderRef ref="AgentAuditLog-SQLServer-Database-Failover"/> <!--<AppenderRef ref="AgentAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="AgentAudit2Splunk"/>--> <!--<AppenderRef ref="AgentAuditLog-HarFile"/>--> </Logger> <Logger name="sidebandclientaudit" level="INFO" additivity="false"> <AppenderRef ref="SidebandClientAuditLog-File"/> <!--<AppenderRef ref="SidebandClientAuditLog-Database-Failover"/>--> <AppenderRef ref="SidebandClientAuditLog-SQLServer-Database-Failover"/> <!--<AppenderRef ref="SidebandClientAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="SidebandClientAudit2Splunk"/>--> <!--<AppenderRef ref="SidebandClientAuditLog-HarFile"/>--> </Logger> <Logger name="sidebandaudit" level="INFO" additivity="false"> <AppenderRef ref="SidebandAuditLog-File"/> <!--<AppenderRef ref="SidebandAuditLog-Database-Failover"/>--> <AppenderRef ref="SidebandAuditLog-SQLServer-Database-Failover"/> <!--<AppenderRef ref="SidebandAuditLog-PostgreSQL"/>--> <!--<AppenderRef ref="SidebandAudit2Splunk"/>--> <!--<AppenderRef ref="SidebandAuditLog-HarFile"/>--> </Logger>
Example
Example:
PostgreSQL
<!-- Audit Log Configuration--> <Logger name="apiaudit" level="INFO" additivity="false"> <AppenderRef ref="APIAuditLog-File"/> <!--<AppenderRef ref="ApiAuditLog-Database-Failover"/>--> <!--<AppenderRef ref="ApiAuditLog-SQLServer-Database-Failover"/>--> <AppenderRef ref="ApiAuditLog-PostgreSQL"/> <!--<AppenderRef ref="ApiAudit2Splunk"/>--> <!--<AppenderRef ref="ApiAuditLog-HarFile"/>--> </Logger> <Logger name="engineaudit" level="INFO" additivity="false"> <AppenderRef ref="EngineAuditLog-File"/> <!--<AppenderRef ref="EngineAuditLog-Database-Failover"/>--> <!--<AppenderRef ref="EngineAuditLog-SQLServer-Database-Failover"/>--> <AppenderRef ref="EngineAuditLog-PostgreSQL"/> <!--<AppenderRef ref="EngineAudit2Splunk"/>--> <!--<AppenderRef ref="EngineAuditLog-HarFile"/>--> </Logger> <Logger name="agentaudit" level="INFO" additivity="false"> <AppenderRef ref="AgentAuditLog-File"/> <!--<AppenderRef ref="AgentAuditLog-Database-Failover"/>--> <!--<AppenderRef ref="AgentAuditLog-SQLServer-Database-Failover"/>--> <AppenderRef ref="AgentAuditLog-PostgreSQL"/> <!--<AppenderRef ref="AgentAudit2Splunk"/>--> <!--<AppenderRef ref="AgentAuditLog-HarFile"/>--> </Logger> <Logger name="sidebandclientaudit" level="INFO" additivity="false"> <AppenderRef ref="SidebandClientAuditLog-File"/> <!--<AppenderRef ref="SidebandClientAuditLog-Database-Failover"/>--> <!--<AppenderRef ref="SidebandClientAuditLog-SQLServer-Database-Failover"/>--> <AppenderRef ref="SidebandClientAuditLog-PostgreSQL"/> <!--<AppenderRef ref="SidebandClientAudit2Splunk"/>--> <!--<AppenderRef ref="SidebandClientAuditLog-HarFile"/>--> </Logger> <Logger name="sidebandaudit" level="INFO" additivity="false"> <AppenderRef ref="SidebandAuditLog-File"/> <!--<AppenderRef ref="SidebandAuditLog-Database-Failover"/>--> <!--<AppenderRef ref="SidebandAuditLog-SQLServer-Database-Failover"/>--> <AppenderRef ref="SidebandAuditLog-PostgreSQL"/> <!--<AppenderRef ref="SidebandAudit2Splunk"/>--> <!--<AppenderRef ref="SidebandAuditLog-HarFile"/>--> </Logger>
-
Create the database tables.
Scripts to create database tables are located in
conf/log4j/sql-scripts
.The scripts are written to handle the default list of elements for the relevant database log appender. Any changes to the list require corresponding changes to the SQL table creation script, or to the table itself if it already exists. For more information on working with these scripts, see the Oracle, PostgreSQL, or MS SQL Server documentation.
For PostgreSQL database scripts, use of the default
public
schema isn’t recommended. To run the scripts against a different schema, choose one of the following options:-
Prepend the schema before the table name. For example,
api_audit_log
would becomemy_schema.api_audit_log
. -
Run the script using psql and specify an options parameter to define the schema. For example:
psql postgresql://<user>@<db_hostname>:5432/<db_name>?options=--search_path=<schema> -f api-audit-log-postgresql.sql
-