PingFederate Server

Administrator audit logging

PingFederate records actions performed by server administrators.

This information is recorded in the <pf_install>/pingfederate/log/admin.log file. The events themselves are not configurable, but you can adjust Log4j 2 configuration settings to deliver the desired level of detail surrounding each event in the <pf_install>/pingfederate/server/default/conf/log4j2.xml file.

Events logged by PingFederate include but are not limited to:

  • Sign on attempt

  • Explicit user logout (no time-outs)

  • Account activation or deactivation

  • Password change or reset

  • Role change

  • System settings management

  • Certificate management

  • OAuth settings management

  • Metadata export

  • XML file signatures applied

  • Configuration archive export and import

  • Identity provider (IdP)/service provider (SP) adapter, IdP token processor, or SP token generator created, modified, or deleted

  • IdP/SP default URLs modified

  • IdP/SP connection created, modified, or deleted

  • Adapter-to-Adapter mapping or token exchange mapping created, modified, or deleted

  • Authentication policy contract created, modified, or deleted

  • IdP Discovery management

  • SP Affiliation created, modified, or deleted

  • PingOne for Enterprise account connected, modified, or disconnected

  • Session timeout event for the following two scenarios:

    • When an administrator’s session has timed out and they subsequently sign on again, then the session timeout event is retroactively logged.

    • When an administrator’s session is invalidated due to inactivity and a session clean-up is performed by the server’s session management on the administrative console node. The timeout event is logged 10 - 15 minutes after the timeout occurred.

Each entry in the admin.log file is on a separate line and represents a single administrator action. The general format of each entry is the same, though specific events are recorded with information relevant to each type. Events are recorded when you click the corresponding Save button in the administrative console. Each log entry contains information relating to the event, including:

  • The time the event occurred on the PingFederate server

  • The username of the administrator performing the action

  • The roles assigned to the administrator at the time the event occurred

  • The type of event that occurred

  • Basic information about the event

  • jti (JWT ID)

    The jti is the ID of the outbound JSON Web Token (JWT) request. This information is applicable for a LOGIN_ATTEMPT event when the PingFederate administrative console authentication scheme is OpenID Connect (OIDC).

  • The hash of the inbound access token.

    The hash logging is applicable for a LOGIN_ATTEMPT event when the PingFederate administrative console authentication scheme is OIDC. To calculate the hash value for a token or authorization code, run the calculatehash.sh/bat script in the PingFederate bin folder.

    This feature should only be enabled in production environments when actively troubleshooting authentication issues.

Each of these fields is separated by a vertical pipe (\|) for easier parsing.

Detailed event logging

You can also configure PingFederate to log additional event information to a separate log file. When you enable detailed event logging, besides writing basic information to <pf_install>/pingfederate/log/adming.log, PingFederate logs detailed information about each event to admin-event-detail.log in the same log directory.

Events recorded in the log are limited to changes stored in XML files. For example, the log does not record changes to OAuth clients stored in external datastores, such as LDAP directories or Java Database Connectivity (JDBC) databases. Additionally, not all events have detailed information. For instance, sign on attempts are only logged to the admin.log file.

PingFederate links events between admin.log and admin-event-detail.log by a unique event ID. Each entry in the admin-event-detail.log file contains:

  • The ID of the event

  • The name of the file involved

  • The type of event that occurred

  • The line number where the change occurred

  • The changes made

To enable detail event logging, set the pf.log.eventdetail property to true in the <pf_install>/pingfederate/bin/run.properties file.