Writing audit log in CEF
You can write the audit log in Common Event Format (CEF) in PingFederate.
Steps
-
Edit
<pf_install>/pingfederate/server/default/conf/log4j2.xml
. -
Under the
Security Audit log : CEF Formatted syslog appender
section, uncomment one of the preset appender configurations:-
SecurityAuditToCEFSyslog
- aSocket
appender -
SecurityAuditToCEFFile
- aRollingFile
appenderThe
SecurityAuditToCEFSyslog
Socket
appender is followed by two related appenders,PingFailover
andRollingFile
. Together, they create a runningaudit-cef-syslog-failover.log
file in the log directory in the event that CEF logging fails for any reason. Both appenders must also be enabled and uncommented.Review inline comments and notes in the
log4j2.xml
file for more information about each appender.
-
-
If you are configuring the
SecurityAuditToCEFSyslog
Socket
appender, replace the placeholder parameter values for the syslog host. -
If you are configuring the
SecurityAuditToCEFSyslog
Socket
appender. uncomment thePingFailover
appender reference (<appender-ref ref="SecurityAuditToCEFSyslog-FAILOVER"/>
) from the followingLogger
elements located under theLoggers
section:-
Browser SSO SP and adapter-to-adapter -
org.sourceid.websso.profiles.sp.SpAuditLogger
-
Browser SSO IdP and adapter-to-adapter -
org.sourceid.websso.profiles.idp.IdpAuditLogger
-
OAuth authorization server -
org.sourceid.websso.profiles.idp.AsAuditLogger
-
Dynamic Client Registration -
org.sourceid.websso.profiles.idp.ClientRegistrationAuditLogger
-
WS-Trust STS, identity provider (IdP), and service provider (SP) -
org.sourceid.wstrust.log.STSAuditLogger
As indicated in the IMPORTANT comments for the loggers, you must also remove some of the existing appender references.
-