PingOne Advanced Identity Cloud

Export log events to an external monitoring tool

You can export Advanced Identity Cloud log event data to an external monitoring tool, a process sometimes known as push logging. This lets you monitor certain events in real time and troubleshoot issues using your preferred SIEM or event monitoring solution, such as an OpenTelemetry-compatible SIEM or Splunk.

Advanced Identity Cloud supports streaming log event data in OpenTelemetry Protocol (OTLP) and Splunk formats.

To configure a log event exporter, use REST API calls to define the telemetry format, the log sources to export, and the destination monitoring tool. Advanced Identity Cloud’s log event exporter service then retrieves the logs and sends them to your chosen monitoring tool in real time.

log events push
An Advanced Identity Cloud tenant environment can have only one log event exporter. This means you can only send logs to one external monitoring tool or SIEM.

Use cases

Exporting Advanced Identity Cloud log events to an external monitoring tool in real time has many use cases, including:

  • Debug journeys while viewing real-time events and errors.

  • Monitor the performance of authentications during journey creation.

  • Collect events from Advanced Identity Cloud and enrich them with data from other sources.

  • Detect and respond to critical events. For example, a sudden spike in registrations might mean an effective marketing program or suspicious activity.

  • Set alerts on authentication and registration requests from particular regions.

  • Monitor the improper use of APIs.

  • Monitor user activity, success/failure rates, and password reset requests.

Supported export formats

The log event exporter service supports the following formats:

Supported monitoring tools

Set up a log event exporter

Follow these steps to set up a log event exporter:

  1. Determine the Advanced Identity Cloud log sources to export.

  2. Configure your destination monitoring service to receive log events from Advanced Identity Cloud.

    Refer to your monitoring tool vendor documentation for configuration details.

    Grafana

    1. Go to your Grafana Cloud Stacks page.

    2. Under OpenTelemetry, click Configure.

    3. Copy the OTLP Endpoint, adding /v1/logs to the end. For example, https://example.grafana.net/otlp/v1/logs.

    4. Copy the Instance ID for the username.

    5. Under Password / API Token, click Generate Now to generate the password.

    Datadog

    • Follow the Datadog documentation to get DD_API_KEY and YOUR_ENDPOINT. The value in YOUR_ENDPOINT must end in /v1/logs.

    New Relic

    • Follow the New relic documentation to get OTEL_EXPORTER_OTLP_ENDPOINT and your api-key. The endpoint must end in /v1/logs.

    Splunk

    1. Configure HTTP Event Collector (HEC).

    2. Make a note of the HEC token. You’ll need this when you configure the log event export in Advanced Identity Cloud.

      You must disable indexer acknowledgment for the HEC token. The Advanced Identity Cloud log event exporter is not compatible with this feature.

  3. Configure the log event export in Advanced Identity Cloud using REST. Learn more in Manage log event exporters using the API.

  4. Verify that the log events are arriving at the external monitoring tool correctly.