---
title: Writing provisioner audit log in CEF
description: You can write provisioner audit logs in Common Event Format (CEF) for PingFederate. PingFederate provides an option of writing elements from the audit log and the provisioner audit log at runtime to a syslog receiver for parsing and analysis using ArcSight from Micro Focus.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_writin_provision_audit_log_cef
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_writin_provision_audit_log_cef.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  steps: Steps
---

# Writing provisioner audit log in CEF

You can write provisioner audit logs in Common Event Format (CEF) for PingFederate. PingFederate provides an option of writing elements from the audit log and the provisioner audit log at runtime to a syslog receiver for parsing and analysis using ArcSight from Micro Focus.

## Steps

1. Edit `<pf_install>/pingfederate/server/default/conf/log4j2.xml`.

2. Uncomment one of the preset appender configurations:

   * `OutboundProvisionerEventToCEFSyslog` (a `Socket` appender under the `Outbound provisioner audit log : CEF Formatted syslog appender` section)

     |   |                                                                                                                                                                                                                                                                                                             |
     | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
     |   | This `Socket` appender is followed by two related appenders, `PingFailover` and `RollingFile`. Together, they create a running `provisioner-audit-cef-syslog-failover.log` file in the log directory in the event that CEF logging fails for any reason. Both appenders must also be enabled (uncommented). |

   * `OutboundProvisionerEventToCEFFile` (a `RollingFile` appender under the `Outbound provisioner audit log for CEFFile` section)

     |   |                                                                                                     |
     | - | --------------------------------------------------------------------------------------------------- |
     |   | Review inline comments and notes in the `log4j2.xml` file for more information about each appender. |

3. If you are configuring the `OutboundProvisionerEventToCEFSyslog` `Socket` appender, replace the placeholder parameter values for the syslog host.

4. If you are configuring the `OutboundProvisionerEventToCEFSyslog` `Socket` appender, uncomment the `PingFailover` appender reference (`<appender-ref ref="OutboundProvisionerEventToCEFSyslog-FAILOVER"/>`) from the `ProvisionerAuditLogger` `Logger` elements located under the `Set up the Outbound provisioner audit logger` section.

   |   |                                                                                                                        |
   | - | ---------------------------------------------------------------------------------------------------------------------- |
   |   | As indicated in the IMPORTANT comments for the loggers, you must also remove some of the existing appender references. |