Writing provisioner audit log in CEF
You can write provisioner audit logs in Common Event Format (CEF) for PingFederate. PingFederate provides an option of writing elements from the audit log and the provisioner audit log at runtime to a syslog receiver for parsing and analysis using ArcSight from Micro Focus.
Steps
-
Edit
<pf_install>/pingfederate/server/default/conf/log4j2.xml
. -
Uncomment one of the preset appender configurations:
-
OutboundProvisionerEventToCEFSyslog
(aSocket
appender under theOutbound provisioner audit log : CEF Formatted syslog appender
section)This
Socket
appender is followed by two related appenders,PingFailover
andRollingFile
. Together, they create a runningprovisioner-audit-cef-syslog-failover.log
file in the log directory in the event that CEF logging fails for any reason. Both appenders must also be enabled (uncommented). -
OutboundProvisionerEventToCEFFile
(aRollingFile
appender under theOutbound provisioner audit log for CEFFile
section)Review inline comments and notes in the
log4j2.xml
file for more information about each appender.
-
-
If you are configuring the
OutboundProvisionerEventToCEFSyslog
Socket
appender, replace the placeholder parameter values for the syslog host. -
If you are configuring the
OutboundProvisionerEventToCEFSyslog
Socket
appender, uncomment thePingFailover
appender reference (<appender-ref ref="OutboundProvisionerEventToCEFSyslog-FAILOVER"/>
) from theProvisionerAuditLogger
Logger
elements located under theSet up the Outbound provisioner audit logger
section.As indicated in the IMPORTANT comments for the loggers, you must also remove some of the existing appender references.