---
title: attack.log for Splunk
description: Configure dataengine.properties for attack.log
component: pingintelligence
version: 5.1
page_id: pingintelligence:pingintelligence_dashboard:pingintelligence_configure_attack_data_splunk
canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/pingintelligence_dashboard/pingintelligence_configure_attack_data_splunk.html
revdate: April 3, 2024
---

# attack.log for Splunk

**Configure `dataengine.properties` for attack.log**

Edit the `pingidentity/dataengine/config/dataengine.properties` file to send the attack data to `attack.log`. By default `syslog` is configured. To send the attack data to `attack.log`, edit the `dataengine.properties` file as shown in the snippet below:

```
# Log4j2
# publish attacks to Log4j2. Valid values true or false
# By default it provides syslog support
 publish.log4j2.enable=true
# log4j2 config file to log attacks to an external service. For example, Syslog
# use com.pingidentity.abs.publish as logger name in log4j2 configuration
 log4j2.config=config/attack_log.xml
# log4j2 log level for attack logging
log4j2.log.level=INFO
# directory for any log4j2 config dependency jar's.
# useful for third party log4j2 appenders
# it should be a directory
log4j2.dependencies.dir=plugins/
```

**attack\_log.xml**: Following is a snippet of the `attack_log.xml`. The `attack_log.xml` produces` attack.log` that is consumed by Splunk. The `attack.log` captures the attack data in a JSON format.

```xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration name="APIIntelligence" packages="" status="warn">
  <Appenders>
    <RollingFile name="attack_log" append="true" fileName="${sys:dashboard.rootdir}/logs/attack.log"
      filePattern="logs/attack.log.%d{yyyy-MM-dd}" immediateFlush="true" >
      <PatternLayout>
        <Pattern>pi-attack-info-%m%n</Pattern>
      </PatternLayout>
      <Policies>
        <TimeBasedTriggeringPolicy/>
      </Policies>
    </RollingFile>
  </Appenders>

  <!-- Attacks are logged to logger with name com.pingidentity.abs.publish
       There should be at least one logger with name com.pingidentity.abs.publish
       It is better to set additivity="false" so that same attacks will not be logged in dashboard.log -->

  <Loggers>
    <Logger additivity="false" level="info" name="com.pingidentity.abs.publish">
      <AppenderRef ref="attack_log"/>
    </Logger>
  </Loggers>
</Configuration>
```

The attack data is published to a Log4j logger named `com.pingidentity.abs.publish`. The Log4j configuration file must have a logger named `com.pingidentity.abs.publish`. Any Log4j2 config file that wants to capture attack data from Dashboard must have at least one logger with name `com.pingidentity.abs.publish`.