Writing logs to databases
Database logging replaces file logging. For each qualified database server, PingFederate provides scripts to create database tables for the audit log, the provisioner audit log, the provisioner log, and the server log.
About this task
You can find these scripts in the <pf_install>/pingfederate/server/default/conf/log4j/sql-scripts
directory.
PingFederate was tested with vendor-specific Java database connectivity (JDBC) 4.2 drivers. Learn more in Compatible database drivers. To obtain the database driver |
Failover file logging is provided in the event that database logging fails for any reasons. By default, PingFederate retries database logging every minute. Messages written to log files during failover periods are not copied over to the database server.
You enable database logging for the audit log, the provisioner audit log, the provisioner log, and the server log in the log4j2.xml
file.
Steps
-
Edit
<pf_install>/pingfederate/server/default/conf/log4j2.xml
. -
After the
Preserve messages in a local file
section, for each log that you want to enable database logging, uncomment the preset Java Database Connectivity (JDBC
) appender configuration based on the choice of your database server.- Audit log
-
-
Oracle MySQL -
SecurityAuditToMySQLDB
-
Oracle Database -
SecurityAuditToOracleDB
-
PostgreSQL -
SecurityAuditToPostgreSQLDB
-
Microsoft SQL Server -
SecurityAuditToSQLServerDB
-
- Provisioner audit log
-
-
Oracle MySQL -
OutboundProvisionerEventToMySQLDB
-
Oracle Database -
OutboundProvisionerEventToOracleDB
-
PostgreSQL -
OutboundProvisionerEventToPostgreSQLDB
-
Microsoft SQL Server -
OutboundProvisionerEventToSQLServerDB
-
- Provisioner log
-
-
Oracle MySQL -
ProvisionerLogToMySQLDB
-
Oracle Database -
ProvisionerLogToOracleDB
-
PostgreSQL -
ProvisionerLogToPostgreSQLDB
-
Microsoft SQL Server -
ProvisionerLogToSQLServerDB
-
- Server log
-
-
Oracle MySQL -
ServerLogToMySQLDB
-
Oracle Database -
ServerLogToOracleDB
-
PostgreSQL -
ServerLogToPostgreSQLDB
-
Microsoft SQL Server -
ServerLogToSQLServerDB
Each
JDBC
appender is followed by two related appenders,PingFailover
andRollingFile
. Together, they create a running*-failover.log
file in the log directory in the event that database logging fails for any reason. Both appenders must also be enabled (uncommented).For more information about each appender, review inline comments and notes in the
log4j2.xml
file.
-
-
Replace placeholder parameter values in
log4j2.db.properties
in the sameconf
directory for the applicable Java Database Connectivity (JDBC) servers.The parameter values provide access to the database. Test and validate access prior to production deployment. Like
log4j2.xml
,log4j2.db.properties
is also individually managed per PingFederate server. This flexibility allows multiple PingFederate nodes in a clustered environment to write messages to different destinations, as needed.You can obfuscate the password used to access the database by running the
obfuscate
utility, located in the<pf_install>/pingfederate/bin
directory:obfuscate.bat
for Windows orobfuscate.sh
for Linux. Use the actual password as an argument and copy the entire result into the value for the password parameter inlog4j2.db.properties
. -
Uncomment the appender reference,
<AppenderRef/>
, in the associated logger elements, as described inline in thelog4j2.xml
file.- Audit log
-
Uncomment the corresponding
PingFailover
appender references from the followingLogger
elements located under theLoggers
section:-
Browser SSO SP and adapter-to-adapter -
org.sourceid.websso.profiles.sp.SpAuditLogger
-
Browser SSO IdP and adapter-to-adapter -
org.sourceid.websso.profiles.idp.IdpAuditLogger
-
OAuth authorization server -
org.sourceid.websso.profiles.idp.AsAuditLogger
-
Dynamic Client Registration -
org.sourceid.websso.profiles.idp.ClientRegistrationAuditLogger
-
WS-Trust STS, IdP, and SP -
org.sourceid.wstrust.log.STSAuditLogger
-
- Provisioner audit log
-
Uncomment the corresponding
PingFailover
appender reference from theProvisionerAuditLogger
Logger
element located under theSet up the Outbound provisioner audit logger
section. - Provisioner log
-
Uncomment the corresponding
PingFailover
appender reference from thecom.pingidentity.provisioner
AsyncLogger
element located under theLoggers
section. - Server log
-
Uncomment the corresponding
PingFailover
appender reference from theroot
element located under theSet up the Root Logger
section, near the end of the file.As indicated in the IMPORTANT comments for the loggers, you must also remove some of the existing appender references.
-
Optional: For the audit log and the provisioner audit log, you can configure elements for database logging in the
ConversionPattern
appender parameter, as needed.