PingFederate Server

Creating an error-only server log

This section describes am approach for modifying your log4j2.xml file, which can be sent to a security information and event management (SIEM) tool, such as Splunk. You can configure alerts to send notifications when such events occur, or to improve the monitoring of these events.

About this task

We recommend using the server.log file for error-level messages. Even when levels are down to a minimum, the server log generates large amounts of information in an active production environment. As an alternative, you can set up a specific log to log only ERROR and higher.

To change your log4j2.xml file to enable a separate log file:

Steps

  1. Create an appender.

    The easiest way to create an appender is to copy an existing one as a base. In the following example, the RollingFile is the same one that the server.log file uses. Bold text identifies items that have been changed.

    [.b]<!-- Error Only Main Log : A size based file rolling appender -->
    <RollingFile name=[.b]"FILEERR" fileName="${sys:pf.log.dir}/server.error.log"
             	filePattern="${sys:pf.log.dir}/server.error.log.%i" ignoreExceptions="false">
    	<PatternLayout>
        	<!-- Uncomment this if you want to use UTF-8 encoding instead
            	of system's default encoding.
        	<charset>UTF-8</charset> -->
        	<pattern>%d %X{trackingid} %-5p [%c] %m%n</pattern>
    	</PatternLayout>
    	<Policies>
        	<SizeBasedTriggeringPolicy
                	size="10000 KB" />
    	</Policies>
    	<DefaultRolloverStrategy max="5" />
    </RollingFile>
  2. At the end of your log4j2.xml file, set the appender that you created in the previous step for AsyncRoot.

    <AsyncRoot level="INFO" includeLocation="false">
    	<!-- <AppenderRef ref="CONSOLE" /> -->
    	<AppenderRef ref="FILE" />
    	 [.b]<AppenderRef ref="FILEERR" level="ERROR" />
    </AsyncRoot>

    In this example, the level attribute indicates the level of messages that are sent to the log file.

  3. Remove the attribute additivity="false" from all other loggers that contain a reference to the File appender.

    Logger name="org.sourceid.saml20.util.SystemUtil" level="INFO" additivity="false">
    	<!--<AppenderRef ref="CONSOLE" /> -->
    	<AppenderRef ref="FILE" />

    Becomes:

    <Logger name="org.sourceid.saml20.util.SystemUtil" level="INFO" >
    	<!--<AppenderRef ref="CONSOLE" /> -->
    	<AppenderRef ref="FILE" />
  4. Make this change on all nodes within the cluster.

    To expedite this step, we recommend creating a base file with the appropriate changes and copying it to all the nodes.
  5. Restart PingFederate.