Security audit logging
PingFederate records a subset of transaction log information with additional details at runtime, intended to facilitate security auditing and regulatory compliance.
The system records activities from single sign-on (SSO), single logout (SLO), OAuth, WS-Trust Security Token Service (STS), and System for Cross-domain Identity Management (SCIM) inbound provisioning transactions in the security audit log, the audit.log
file, located in the <pf_install>/pingfederate/log
directory. You can output security audit log information to different formats, including databases, CEF, and Splunk.
Outbound provisioning transactions are not included in the security audit log. Instead, they are recorded in the outbound provisioning audit log, the |
The following tables describe the default and available fields. PingFederate separates each field by a vertical pipe (\|
). As needed, fields are configurable by editing the <pf_install>/pingfederate/server/default/conf/log4j2.xml
file.
Field | Description | ||
---|---|---|---|
%d |
The transaction time. |
||
trackingid |
The tracking ID values uniquely identify user sessions, useful for correlating log messages in the audit and server logs. |
||
transactionid |
An identifier unique to the SSO or SLO PingFederate transaction.
|
||
event |
The type of transaction. For example,
|
||
subject |
The subject of the transaction or authentication attempt. |
||
ip |
The incoming IP address. |
||
app |
The target service provider (SP) application, the email verification endpoint, or the profile management page, when applicable and available. |
||
connectionid |
The partner identifier associated with the transaction. The OAuth client ID value for OAuth transactions. The ID of the authentication policy contract referenced by the local identity profile that has been invoked for the purpose of accessing the email verification endpoint or the profile management page. |
||
protocol |
The associated identity protocol; for example, |
||
host |
The host name or IP address of the PingFederate server. |
||
role |
The role PingFederate played for the transaction. |
||
status |
The status of the transactions. |
||
adapterid |
The ID of an adapter instance. Consider adding the |
||
description |
The description of an authentication failure, when such information is available from the authentication source, or an authorization failure from an erroneous OAuth authorization request. For user sign-on events processed through an HTML form adapter, the description includes the error source and error message. Here’s an example of the description when authentication with an HTML form adapter fails because a data store locked the user’s account, where description=[source:LDAP-8C4A5F60684C90B9ECE88D2B] Account Locked Here’s an example of the description when authentication with an HTML form adapter fails because PingFederate’s Account Locking Service locked the user’s account: description=[source:AccountLockingService] Account Locked |
||
responsetime |
The time elapsed in milliseconds from when the system receives a final request for a transaction, to when the system writes the audit message. This value serves as an approximation of total transaction processing time and can be useful for monitoring trends. |
Field | Description | ||
---|---|---|---|
accessgrantguid |
The GUID of the OAuth access grant, for OAuth transactions. |
||
assertionid |
The unique ID for the SAML assertion. |
||
atjti |
The |
||
attrackingid |
The tracking ID for OAuth access token. You can use this ID to analyze the flow of OAuth access tokens in the audit log and between PingFederate and PingAccess. |
||
attributes |
The user attributes received (for an SP log), sent (for an IdP log), or provided by the user through the self-service registration or profile management page. |
||
authenticationsourceid |
An array of one or more IdP adapters, one or more IdP connections, and identity profile, if any, invoked in an authentication or logout flow. For example, |
||
authnsessionexpiry |
The expiry of an authentication session that has just been created or used. |
||
connectionname |
The partner name associated with the transaction. The OAuth client name for OAuth transactions. The name of the authentication policy contract referenced by the local identity profile that has been invoked for the purpose of accessing the email verification endpoint or the profile management page. |
||
granttype |
The OAuth grant type. |
||
header\{anHttpRequestHeader} |
The HTTP request header value identified by the header name. The header name is case-insensitive. For example, To record multiple headers, repeat the <pattern>...| %header\{accept-language}| %header\{dnt} %n</pattern> Given this partial sample, PingFederate includes both the
|
||
httprequestid |
The ID of the HTTP request. This can be used for correlation across external systems (like PingDirectory) and for debugging purposes in the server log. This field is optional. |
||
idjti |
The |
||
inachash |
The hash of the inbound authorization code (when |
||
inathash |
The hash of the inbound access token (when |
||
initiator |
The federation role that initiated the SSO or SLO: Applicable only to SAML 2.0 transactions. |
||
inmessagetype |
The incoming message type. Possible values are |
||
inresponseto |
The value of the |
||
inxmlmsg |
The incoming message. For example, a SAML AuthnRequest or the information pertaining to an OAuth request. |
||
inrthash |
The hash of the inbound refresh token (when |
||
localuserid |
The local ID used for the transaction, when account linking is enabled at the SP. |
||
outachash |
The hash of the outbound authorization code (when |
||
outathash |
The hash of the outbound access token (when |
||
outrthash |
The hash of the outbound refresh token (when |
||
outurl |
The URL where the protocol response was sent. For security reason, parameters and fragments are excluded. |
||
outxmlmsg |
The outgoing message. For example, a SAML Response or the information pertaining to a response for an OAuth request. |
||
parameter\{anHttpRequestParameter} |
The value of the HTTP request parameter identified by the parameter name. The parameter name is case-sensitive. To record multiple parameters, repeat the <pattern>...| %parameter\{foo1}| %parameter\{Foo3} %n</pattern> Given this partial sample, PingFederate includes both the
|
||
pfversion |
The PingFederate version. |
||
requestid |
The ID of a SAML request. |
||
requestjti |
The |
||
requeststarttime |
The start time of the request in milliseconds since midnight, January 1, 1970 UTC. |
||
responseid |
The ID of a SAML response. |
||
sessiongroupid |
The internal ID for a group of persistent authentication sessions associated with a single browser instance through the PF.PERSISTENT cookie. It is only set if the request has triggered a session lookup. |
||
sri |
The session reference identifier (SRI) for the user, which can be passed to the session revocation API to revoke the user’s sessions. It is only set if the request has triggered a session lookup. |
||
stspluginid |
The ID for the token processor or token generator instance. Applicable only to WS-Trust STS transactions. |
||
targetsessionid |
An array of one or more SP adapters or SP connections invoked in an authentication or logout flow. |
||
tlsversion |
The connection’s TLS version.
|
||
trackedparameter\{ |
The value of the tracked HTTP request parameter identified by the parameter name. The parameter name is case-sensitive.
To record multiple parameters, repeat the <pattern>...| %trackedparameter\{foo2}| %trackedparameter\{Foo4} %n</pattern> Given this partial sample, PingFederate includes both the If the parameter, as indicated by <anHttpRequestParameter>, has not been configured as a parameter to be tracked by the policy engine, PingFederate does not record the parameter value in the audit log. |
||
uniqueuserkey |
The unique user key tied to the user’s authentication sessions. It is only set if the user authenticated using an IdP adapter that has configured a unique user key attribute. |
||
validatorid |
The ID of the Password Credential Validator (PCV) instance, for the successful attempts. |
||
virtualserverid |
The virtual server ID of a request, if applicable. |
To calculate the hash value for a token or authorization code, run the |