PingOne for Enterprise

Adding a Push subscription

Push subscriptions stream audit events of the selected type to the HTTPS URL you specify.

Steps

  1. Go to Dashboard → Reporting → Subscriptions → Add Subscription.

  2. In the Name field, enter a name for this subscription.

  3. In the Type list, select the type of audit event that will be pushed for this subscription.

    For more information, see PingOne for Enterprise report types.

  4. Select Push to create a Push subscription.

  5. In the Format list, select the format for the audit events.

    For Push subscriptions, this can be either:

    • Audit (the PingOne for Enterprise default format).

    • Splunk (a format compatible with Splunk processing).

    Both formats are JSON.

  6. In the URL field, enter the URL to stream audit events to.

    The URL must be HTTPS.
  7. In the Authorization Header field, enter a request header that will be posted to the URL you specified.

    For example, "Authorization: Basic 80F4FC1D78C0F15627C9B95C".

  8. Click Upload to upload the public certificate registered to the URL you specified.

    For Splunk subscriptions, you need to upload the endpoint certificate, not the entire certificate chain. You can get your endpoint certificate by going to your Splunk endpoint in a browser and downloading it.
  9. Click Done.

    Result:

    You will find the new subscription listed on the Subscriptions page.

Result

The audit events pushed to the URL you specified will look similar to these samples:

Audit format

{
  "source": "ADMINISTRATOR_LOGIN",
  "id": "8fd3d92f-7af2-11e8-b80d-0ec0fbebxxxx",
  "recorded": "2018-28-06T16:44:44.849Z",
  "action": {
    "type": "Password"
  },
  "actors": [
    {
      "type": "user",
      "name": "pcasso@pingidentity.com"
    }
  ],
  "resources": [],
  "client": {
    "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
    "ipAddress": "192.168.10.1, 172.138.206.50"
  },
  "result": {
    "status": "SUCCESS",
    "message": "Password"
  }
}

Splunk format

{
  "event": {
    "source": "ADMINISTRATOR_LOGIN",
    "id": "44990ce5-7af4-11e8-b80d-0ec0fbebxxxx",
    "recorded": "2018-28-06T16:56:57.627Z",
    "action": {
      "type": "Password"
    },
    "actors": [
      {
        "type": "user",
        "name": "pcasso@pingidentity.com"
      }
    ],
    "resources": [],
    "client": {
      "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
      "ipAddress": "24.222.35.218, 172.18.26.54"
    },
    "result": {
      "status": "SUCCESS",
      "message": "Password"
    }
  },
  "host": "pingidentity.com",
  "time": 1530205017627,
  "source": "ADMINISTRATOR_LOGIN"
}