---
title: "Configuring <code class=\"codeph\">attack.log</code> for Splunk"
description: Configure attack.log for Splunk to capture attack data.
component: pingintelligence
version: 5.2
page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_configure_attack_data_splunk
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_configure_attack_data_splunk.html
revdate: April 3, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  result: Result:
---

# Configuring `attack.log` for Splunk

Configure `attack.log` for Splunk to capture attack data.

## About this task

To configure `attack.log`:

## Steps

1. Configure `dataengine.properties` for `attack.log`.

   1. Edit the `pingidentity/dataengine/config/dataengine.properties` file to send the attack data to `attack.log`. By default, `syslog` is configured.

   2. To send the attack data to `attack.log`, edit the `dataengine.properties` file as shown in the snippet below:

      ```
      # Log4j2
      # publish attacks to Log4j2. Valid values true or false
      # By default it provides syslog support
       publish.log4j2.enable=true
      # log4j2 config file to log attacks to an external service. For example, Syslog
      # use com.pingidentity.abs.publish as logger name in log4j2 configuration
       log4j2.config=config/attack_log.xml
      # log4j2 log level for attack logging
      log4j2.log.level=INFO
      # directory for any log4j2 config dependency jar's.
      # useful for third party log4j2 appenders
      # it should be a directory
      log4j2.dependencies.dir=plugins/
      ```

      ### Result:

      The following is a snippet of the `attack_log.xml`. The `attack_log.xml` produces `attack.log` that is consumed by Splunk. The `attack.log` captures the attack data in a JSON format.

      The attack data is published to a Log4j logger named `com.pingidentity.abs.publish`. The Log4j configuration file must have a logger named `com.pingidentity.abs.publish`. Any Log4j2 config file that wants to capture attack data from Dashboard must have at least one logger with the name `com.pingidentity.abs.publish`.

      ```xml
      <?xml version="1.0" encoding="UTF-8"?>
      <Configuration name="APIIntelligence" packages="" status="warn">
        <Appenders>
          <RollingFile name="attack_log" append="true" fileName="${sys:dashboard.rootdir}/logs/attack.log"
            filePattern="logs/attack.log.%d{yyyy-MM-dd}" immediateFlush="true" >
            <PatternLayout>
              <Pattern>pi-attack-info-%m%n</Pattern>
            </PatternLayout>
            <Policies>
              <TimeBasedTriggeringPolicy/>
            </Policies>
          </RollingFile>
        </Appenders>

        <!-- Attacks are logged to logger with name com.pingidentity.abs.publish
             There should be at least one logger with name com.pingidentity.abs.publish
             It is better to set additivity="false" so that same attacks will not be logged in dashboard.log -->

        <Loggers>
          <Logger additivity="false" level="info" name="com.pingidentity.abs.publish">
            <AppenderRef ref="attack_log"/>
          </Logger>
        </Loggers>
      </Configuration>
      ```