PingIntelligence

Configuring attack.log for Splunk

Configure attack.log for Splunk to capture attack data.

About this task

To configure attack.log:

Steps

  1. Configure dataengine.properties for attack.log.

    1. Edit the pingidentity/dataengine/config/dataengine.properties file to send the attack data to attack.log. By default, syslog is configured.

    2. To send the attack data to attack.log, edit the dataengine.properties file as shown in the snippet below:

      # Log4j2
# publish attacks to Log4j2. Valid values true or false
# By default it provides syslog support
 publish.log4j2.enable=true
# log4j2 config file to log attacks to an external service. For example, Syslog
# use com.pingidentity.abs.publish as logger name in log4j2 configuration
 log4j2.config=config/attack_log.xml
# log4j2 log level for attack logging
log4j2.log.level=INFO
# directory for any log4j2 config dependency jar's.
# useful for third party log4j2 appenders
# it should be a directory
log4j2.dependencies.dir=plugins/

      Result:

      The following is a snippet of the attack_log.xml. The attack_log.xml produces attack.log that is consumed by Splunk. The attack.log captures the attack data in a JSON format.

      The attack data is published to a Log4j logger named com.pingidentity.abs.publish. The Log4j configuration file must have a logger named com.pingidentity.abs.publish. Any Log4j2 config file that wants to capture attack data from Dashboard must have at least one logger with the name com.pingidentity.abs.publish.

      <?xml version="1.0" encoding="UTF-8"?>
<Configuration name="APIIntelligence" packages="" status="warn">
  <Appenders>
    <RollingFile name="attack_log" append="true" fileName="${sys:dashboard.rootdir}/logs/attack.log"
      filePattern="logs/attack.log.%d{yyyy-MM-dd}" immediateFlush="true" >
      <PatternLayout>
        <Pattern>pi-attack-info-%m%n</Pattern>
      </PatternLayout>
      <Policies>
        <TimeBasedTriggeringPolicy/>
      </Policies>
    </RollingFile>
  </Appenders>

  <!-- Attacks are logged to logger with name com.pingidentity.abs.publish
       There should be at least one logger with name com.pingidentity.abs.publish
       It is better to set additivity="false" so that same attacks will not be logged in dashboard.log -->

  <Loggers>
    <Logger additivity="false" level="info" name="com.pingidentity.abs.publish">
      <AppenderRef ref="attack_log"/>
    </Logger>
  </Loggers>
</Configuration>