--- title: Writing audit log in CEF description: You can write the audit log in Common Event Format (CEF) in PingFederate. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_writin_audit_log_cef canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_writin_audit_log_cef.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: steps: Steps --- # Writing audit log in CEF You can write the audit log in Common Event Format (CEF) in PingFederate. ## Steps 1. Edit `/pingfederate/server/default/conf/log4j2.xml`. 2. Under the `Security Audit log : CEF Formatted syslog appender` section, uncomment one of the preset appender configurations: * `SecurityAuditToCEFSyslog` - a `Socket` appender * `SecurityAuditToCEFFile` - a `RollingFile` appender | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `SecurityAuditToCEFSyslog` `Socket` appender is followed by two related appenders, `PingFailover` and `RollingFile`. Together, they create a running `audit-cef-syslog-failover.log` file in the log directory in the event that CEF logging fails for any reason. Both appenders must also be enabled and uncommented. | | | | | - | --------------------------------------------------------------------------------------------------- | | | Review inline comments and notes in the `log4j2.xml` file for more information about each appender. | 3. If you are configuring the `SecurityAuditToCEFSyslog` `Socket` appender, replace the placeholder parameter values for the syslog host. 4. If you are configuring the `SecurityAuditToCEFSyslog` `Socket` appender. uncomment the `PingFailover` appender reference (``) from the following `Logger` elements located under the `Loggers` section: * Browser SSO SP and adapter-to-adapter - `org.sourceid.websso.profiles.sp.SpAuditLogger` * Browser SSO IdP and adapter-to-adapter - `org.sourceid.websso.profiles.idp.IdpAuditLogger` * OAuth authorization server - `org.sourceid.websso.profiles.idp.AsAuditLogger` * Dynamic Client Registration - `org.sourceid.websso.profiles.idp.ClientRegistrationAuditLogger` * WS-Trust STS, identity provider (IdP), and service provider (SP) - `org.sourceid.wstrust.log.STSAuditLogger` | | | | - | ---------------------------------------------------------------------------------------------------------------------- | | | As indicated in the IMPORTANT comments for the loggers, you must also remove some of the existing appender references. |