Administrator audit logging
PingFederate records actions performed by server administrators.
This information is recorded in the <pf_install>/pingfederate/log/admin.log
file. The events themselves are not configurable, but you can adjust Log4j 2 configuration settings to deliver the desired level of detail surrounding each event in the <pf_install>/pingfederate/server/default/conf/log4j2.xml
file.
Events logged by PingFederate include but are not limited to:
-
Sign on attempt
-
Explicit user logout (no time-outs)
-
Account activation or deactivation
-
Password change or reset
-
Role change
-
System settings management
-
Certificate management
-
OAuth settings management
-
Metadata export
-
XML file signatures applied
-
Configuration archive export and import
-
Identity provider (IdP)/service provider (SP) adapter, IdP token processor, or SP token generator created, modified, or deleted
-
IdP/SP default URLs modified
-
IdP/SP connection created, modified, or deleted
-
Adapter-to-Adapter mapping or token exchange mapping created, modified, or deleted
-
Authentication policy contract created, modified, or deleted
-
IdP Discovery management
-
SP Affiliation created, modified, or deleted
-
PingOne for Enterprise account connected, modified, or disconnected
-
Session timeout event for the following two scenarios:
-
When an administrator’s session has timed out and they subsequently sign on again, then the session timeout event is retroactively logged.
-
When an administrator’s session is invalidated due to inactivity and a session clean-up is performed by the server’s session management on the administrative console node. The timeout event is logged 10 - 15 minutes after the timeout occurred.
-
Each entry in the admin.log
file is on a separate line and represents a single administrator action. The general format of each entry is the same, though specific events are recorded with information relevant to each type. Events are recorded when you click the corresponding Save button in the administrative console. Each log entry contains information relating to the event, including:
-
The time the event occurred on the PingFederate server
-
The username of the administrator performing the action
-
The roles assigned to the administrator at the time the event occurred
-
The type of event that occurred
-
Basic information about the event
Each of these fields is separated by a vertical pipe (\|
) for easier parsing.
Detailed event logging
You can also configure PingFederate to log additional event information to a separate log file. When you enable detailed event logging, besides writing basic information to <pf_install>/pingfederate/log/adming.log
, PingFederate logs detailed information about each event to admin-event-detail.log
in the same log directory.
Events recorded in the log are limited to changes stored in XML files. For example, the log does not record changes to OAuth clients stored in external datastores, such as LDAP directories or Java Database Connectivity (JDBC) databases. Additionally, not all events have detailed information. For instance, sign on attempts are only logged to the |
PingFederate links events between admin.log
and admin-event-detail.log
by a unique event ID. Each entry in the admin-event-detail.log
file contains:
-
The ID of the event
-
The name of the file involved
-
The type of event that occurred
-
The line number where the change occurred
-
The changes made
To enable detail event logging, set the pf.log.eventdetail
property to true
in the <pf_install>/pingfederate/bin/run.properties
file.